SR: Supply Chain Risk Management

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]; Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as…

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit…

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data].

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls].

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Assignment (one or more): notification of supply chain compromises, results of assessments or audits, [Assignment: organization-defined information] ].

Implement a tamper protection program for the system, system component, or system service.

Inspect the following systems or system components [Assignment (one or more): at random, at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection] ] to detect tampering: [Assignment: organization-defined systems or system components].

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and Report counterfeit system components to [Assignment (one or more): source of counterfeit component, [Assignment: organization-defined external reporting organizations] , [Assignment: organization-defined personnel or roles] ].

Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods].