SR: Supply Chain Risk Management
Controls
SR-1: Policy and Procedures
Baseline(s):
- Low
- Moderate
- High
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
SR-2: Supply Chain Risk Management Plan
Baseline(s):
- Low
- Moderate
- High
Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]; Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as…
SR-3: Supply Chain Controls and Processes
Baseline(s):
- Low
- Moderate
- High
Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit…
SR-4: Provenance
Baseline(s):
Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data].
SR-5: Acquisition Strategies, Tools, and Methods
Baseline(s):
- Low
- Moderate
- High
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].
SR-6: Supplier Assessments and Reviews
Baseline(s):
- Moderate
- High
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].
SR-7: Supply Chain Operations Security
Baseline(s):
Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls].
SR-8: Notification Agreements
Baseline(s):
- Low
- Moderate
- High
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Assignment (one or more): notification of supply chain compromises, results of assessments or audits, [Assignment: organization-defined information] ].
SR-9: Tamper Resistance and Detection
Baseline(s):
- High
Implement a tamper protection program for the system, system component, or system service.
SR-10: Inspection of Systems or Components
Baseline(s):
- Low
- Moderate
- High
Inspect the following systems or system components [Assignment (one or more): at random, at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection] ] to detect tampering: [Assignment: organization-defined systems or system components].
SR-11: Component Authenticity
Baseline(s):
- Low
- Moderate
- High
Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and Report counterfeit system components to [Assignment (one or more): source of counterfeit component, [Assignment: organization-defined external reporting organizations] , [Assignment: organization-defined personnel or roles] ].
SR-12: Component Disposal
Baseline(s):
- Low
- Moderate
- High
Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods].