SR-3(1)—Diverse Supply Base
>Control Description
Employ a diverse set of sources for the following system components and services: ⚙organization-defined system components and services.
>Cross-Framework Mappings
>Supplemental Guidance
Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event.
Organizations consider designing the system to include diverse materials and components.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What supply chain risk management policies address SR-3(1)?
- •Who is responsible for managing supply chain risks?
- •How do you assess and monitor risks from suppliers, vendors, and contractors?
- •How do you evaluate and select suppliers based on security criteria?
- •What security requirements are imposed on system developers?
Technical Implementation:
- •What processes ensure that supply chain components meet security requirements?
- •How do you verify the authenticity and integrity of acquired components?
- •What controls prevent counterfeit or malicious components from entering your supply chain?
- •How do you track and verify the provenance of system components?
Evidence & Documentation:
- •Can you provide supply chain risk assessments?
- •What documentation demonstrates supplier compliance with security requirements?
- •Where do you maintain records of supplier assessments and component provenance?
- •Can you provide recent supplier security assessment reports?
- •Can you show component inventory and validation records?
Ask AI
Configure your API key to use AI features.