SR-3: Supply Chain Controls and Processes

CSF v1.1 References:


  • Low
    • SR-3
  • Moderate
    • SR-3
  • High
    • SR-3
  • Privacy


Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: SA-12(15): Processes To Address Weaknesses Or Deficiencies.

Control Statement

  1. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel];
  2. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and
  3. Document the selected and implemented supply chain processes and controls in [Assignment: security and privacy plans, supply chain risk management plan, [Assignment: organization-defined document] ].

Supplemental Guidance

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

Control Enhancements

SR-3(1): Diverse Supply Base


(Not part of any baseline)

Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services].

SR-3(2): Limitation of Harm


(Not part of any baseline)

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls].

SR-3(3): Sub-tier Flow Down


(Not part of any baseline)

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.