SR-3(2)—Supply Chain Controls and Processes | Limitation of Harm

IL5

IL6

>Control Description

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: ⚙organization-defined controls.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations, employing approved vendor lists with standing reputations in industry, following pre-agreed maintenance schedules and update and patch delivery mechanisms, maintaining a contingency plan in case of a supply chain event, using procurement carve-outs that provide exclusions to commitments or obligations, using diverse delivery routes, and minimizing the time between purchase decisions and delivery.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What supply chain risk management policies address SR-3(2)?
•Who is responsible for managing supply chain risks?
•How do you assess and monitor risks from suppliers, vendors, and contractors?
•How do you evaluate and select suppliers based on security criteria?

Technical Implementation:

•What processes ensure that supply chain components meet security requirements?
•How do you verify the authenticity and integrity of acquired components?
•What controls prevent counterfeit or malicious components from entering your supply chain?

Evidence & Documentation:

•Can you provide supply chain risk assessments?
•What documentation demonstrates supplier compliance with security requirements?
•Where do you maintain records of supplier assessments and component provenance?
•Can you provide recent supplier security assessment reports?

Ask AI

Configure your API key to use AI features.