>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-6(1)Supplier Assessments and Reviews | Testing and Analysis

IL5
IL6

>Control Description

Employ [Selection (one or more): organizational analysis; independent third-party analysis; organizational testing; independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: organization-defined supply chain elements, processes, and actors.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Relationships between entities and procedures within the supply chain, including development and delivery, are considered. Supply chain elements include organizations, entities, or tools that are used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems, system components, or system services. Supply chain processes include supply chain risk management programs; SCRM strategies and implementation plans; personnel and physical security programs; hardware, software, and firmware development processes; configuration management tools, techniques, and measures to maintain provenance; shipping and handling procedures; and programs, processes, or procedures associated with the production and distribution of supply chain elements.

Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated and collected during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions.

>Related Controls

CA-8
SI-4

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-6(1)?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.