SR: Supply Chain Risk Management

Controls

SR-1: Policy and Procedures

Baseline(s):

  • Low
  • Moderate
  • High

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…

SR-2: Supply Chain Risk Management Plan

Baseline(s):

  • Low
  • Moderate
  • High

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]; Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as…

SR-3: Supply Chain Controls and Processes

Baseline(s):

  • Low
  • Moderate
  • High

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit…

SR-4: Provenance

Baseline(s):

(Not part of any baseline)

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data].

SR-5: Acquisition Strategies, Tools, and Methods

Baseline(s):

  • Low
  • Moderate
  • High

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].

SR-6: Supplier Assessments and Reviews

Baseline(s):

  • Moderate
  • High

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].

SR-7: Supply Chain Operations Security

Baseline(s):

(Not part of any baseline)

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls].

SR-8: Notification Agreements

Baseline(s):

  • Low
  • Moderate
  • High

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Assignment (one or more): notification of supply chain compromises, results of assessments or audits, [Assignment: organization-defined information] ].

SR-10: Inspection of Systems or Components

Baseline(s):

  • Low
  • Moderate
  • High

Inspect the following systems or system components [Assignment (one or more): at random, at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection] ] to detect tampering: [Assignment: organization-defined systems or system components].

SR-11: Component Authenticity

Baseline(s):

  • Low
  • Moderate
  • High

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and Report counterfeit system components to [Assignment (one or more): source of counterfeit component, [Assignment: organization-defined external reporting organizations] , [Assignment: organization-defined personnel or roles] ].

SR-12: Component Disposal

Baseline(s):

  • Low
  • Moderate
  • High

Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods].