>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-5Acquisition Strategies, Tools, and Methods

LI-SaaS
Low
Moderate
High

>Control Description

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: organization-defined acquisition strategies, contract tools, and procurement methods.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation.

Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed.

Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

>Cross-Framework Mappings

SCF

TPM-03.1
Compare

>Programmatic Queries

Beta

Related Services

AWS Marketplace
AWS Service Catalog
AWS License Manager

CLI Commands

List Marketplace subscriptions
aws marketplace-catalog list-entities --catalog AWSMarketplace --entity-type Offer
List Service Catalog products
aws servicecatalog search-products
List managed licenses
aws license-manager list-licenses
List license configurations
aws license-manager list-license-configurations
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-5?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?
  • How do you evaluate and select suppliers based on security criteria?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?
  • What anti-counterfeit measures are in place?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you provide recent supplier security assessment reports?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.