>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

RA-3(1)Risk Assessment | Supply Chain Risk Assessment

IL4 Mod
IL4 High
IL5
IL6

>Control Description

(a) Assess supply chain risks associated with organization-defined systems, system components, and system services; and (b) Update the supply chain risk assessment organization-defined frequency, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle.

An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

>Programmatic Queries

Beta

Related Services

AWS Security Hub
AWS Config
AWS Service Catalog

CLI Commands

Enable Security Hub for supply chain risk tracking
aws securityhub enable-security-hub --region us-east-1
Create Config aggregator for supply chain compliance
aws configservice put-configuration-aggregator --configuration-aggregator-name supply-chain-agg --account-aggregation-sources '[{AllAwsRegions=true,AwsRegions=[us-east-1,us-west-2],AccountIds=[123456789012,210987654321]}]'
Create Service Catalog product for supplier compliance
aws servicecatalog create-product --name 'Compliant Supplier Service' --product-type CLOUD_FORMATION_TEMPLATE --provisioning-artifact-parameters file://artifact.json
Get supply chain risk assessment findings
aws securityhub get-findings --filters '[{Key=ProductName,Value=AWS::SupplyChain,Comparison=EQUALS}]'
Open AWS ConsoleDocumentation

>Related Controls

RA-2
RA-9
PM-17
PM-30
SR-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your organization's documented risk assessment policy and how does it address the requirements of RA-3(1)?
  • Who has been designated as responsible for conducting and maintaining risk assessments?
  • How frequently are risk assessments conducted and what triggers an update to the risk assessment?

Technical Implementation:

  • What methodology or framework do you use to conduct risk assessments?
  • How do you identify and categorize threats and vulnerabilities during the risk assessment process?
  • What tools or systems support your risk assessment activities?

Evidence & Documentation:

  • Can you provide the most recent risk assessment report?
  • What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
  • Where are risk assessment results documented and how long are they retained?

Ask AI

Configure your API key to use AI features.