SPARC

Supply Chain Risk Management

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 44

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

SR-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}: 1. {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that: (a) Addresses purpose, scope, ro...

► View parameters

Param ID	Label	Constraint / Choices
sr-1_prm_1	organization-defined personnel or roles	Organization-defined
sr-01_odp.01	personnel or roles	personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;
sr-01_odp.02	personnel or roles	personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;
sr-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
sr-01_odp.04	official	an official to manage the development, documentation, and dissemination of the supply chain risk management policy an...
sr-01_odp.05	frequency	the frequency at which the current supply chain risk management policy is reviewed and updated is defined;
sr-01_odp.06	events	events that require the current supply chain risk management policy to be reviewed and updated are defined;
sr-01_odp.07	frequency	the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;
sr-01_odp.08	events	events that require the supply chain risk management procedures to be reviewed and updated are defined;

—

SR-02

Supply Chain Risk Management Plan 2 params

a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal...

► View parameters

Param ID	Label	Constraint / Choices
sr-02_odp.01	systems, system components, or system services	systems, system components, or system services for which a supply chain risk management plan is developed are defined;
sr-02_odp.02	frequency	the frequency at which to review and update the supply chain risk management plan is defined;

—

SR-02(01)

Establish SCRM Team 2 params

Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-02.01_odp.01	personnel, roles and responsibilities	the personnel, roles, and responsibilities of the supply chain risk management team are defined;
sr-02.01_odp.02	supply chain risk management activities	supply chain risk management activities are defined;

—

SR-03

Supply Chain Controls and Processes 5 params

a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ inse...

► View parameters

Param ID	Label	Constraint / Choices
sr-03_odp.01	system or system component	the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is...
sr-03_odp.02	supply chain personnel	supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficie...
sr-03_odp.03	supply chain controls	supply chain controls employed to protect against supply chain risks to the system, system component, or system servi...
sr-03_odp.04		Select one-or-more: security and privacy plans; supply chain risk management plan; {{ insert: param, sr-03_odp.05 }}
sr-03_odp.05	document	the document identifying the selected and implemented supply chain processes and controls is defined (if selected);

—

SR-03(01)

Diverse Supply Base 3 params

Employ a diverse set of sources for the following system components and services: {{ insert: param, sr-3.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-3.1_prm_1	organization-defined system components and services	Organization-defined
sr-03.01_odp.01	system components	system components with a diverse set of sources are defined;
sr-03.01_odp.02	services	services with a diverse set of sources are defined;

—

SR-03(02)

Limitation of Harm 1 param

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: {{ insert: param, sr-03.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-03.02_odp	controls	controls to limit harm from potential supply chain adversaries are defined;

—

SR-03(03)

Sub-tier Flow Down

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

—

SR-04

Provenance 1 param

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: {{ insert: param, sr-04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-04_odp	systems, system components, and associated data	systems, system components, and associated data that require valid provenance are defined;

—

SR-04(01)

Identity 1 param

Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: {{ insert: param,...

► View parameters

Param ID	Label	Constraint / Choices
sr-04.01_odp	supply chain elements, processes, and personnel	supply chain elements, processes, and personnel associated with systems and critical system components that require u...

—

SR-04(02)

Track and Trace 1 param

Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: {{ insert: param, sr-04.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-04.02_odp	systems and critical system components	systems and critical system components that require unique identification for tracking through the supply chain are d...

—

SR-04(03)

Validate as Genuine and Not Altered 3 params

Employ the following controls to validate that the system or system component received is genuine and has not been altered: {{ insert: param, sr-4.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-4.3_prm_1	organization-defined controls	Organization-defined
sr-04.03_odp.01	controls	controls to validate that the system or system component received is genuine are defined;
sr-04.03_odp.02	controls	controls to validate that the system or system component received has not been altered are defined;

—

SR-04(04)

Supply Chain Integrity — Pedigree 2 params

Employ {{ insert: param, sr-04.04_odp.01 }} and conduct {{ insert: param, sr-04.04_odp.02 }} to ensure the integrity of the system and system components by validating the internal composition and p...

► View parameters

Param ID	Label	Constraint / Choices
sr-04.04_odp.01	controls	controls employed to ensure that the integrity of the system and system component are defined;
sr-04.04_odp.02	analysis method	an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essenti...

—

SR-05

Acquisition Strategies, Tools, and Methods 1 param

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-05_odp	strategies, tools, and methods	acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply cha...

—

SR-05(01)

Adequate Supply 2 params

Employ the following controls to ensure an adequate supply of {{ insert: param, sr-05.01_odp.02 }}: {{ insert: param, sr-05.01_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-05.01_odp.01	controls	controls to ensure an adequate supply of critical system components are defined;
sr-05.01_odp.02	critical system components	critical system components of which an adequate supply is required are defined;

—

SR-05(02)

Assessments Prior to Selection, Acceptance, Modification, or Update

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

—

SR-06

Supplier Assessments and Reviews 1 param

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-06_odp	frequency	the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors a...

—

SR-06(01)

Testing and Analysis 2 params

Employ {{ insert: param, sr-06.01_odp.01 }} of the following supply chain elements, processes, and actors associated with the system, system component, or system service: {{ insert: param, sr-06.01...

► View parameters

Param ID	Label	Constraint / Choices
sr-06.01_odp.01		Select one-or-more: organizational analysis; independent third-party analysis; organizational testing; independent third-party testing
sr-06.01_odp.02	supply chain elements, processes, and actors	supply chain elements, processes, and actors to be analyzed and tested are defined;

—

SR-07

Supply Chain Operations Security 1 param

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: {{ insert: param, sr-07_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-07_odp	OPSEC controls	Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or...

—

SR-08

Notification Agreements 2 params

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-08_odp.01		Select one-or-more: notification of supply chain compromises; {{ insert: param, sr-08_odp.02 }}
sr-08_odp.02	results of assessments or audits	information for which agreements and procedures are to be established are defined (if selected);

—

SR-09

Tamper Resistance and Detection

Implement a tamper protection program for the system, system component, or system service.

—

SR-09(01)

Multiple Stages of System Development Life Cycle

Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.

—

SR-10

Inspection of Systems or Components 4 params

Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-10_odp.01	systems or system components	systems or system components that require inspection are defined;
sr-10_odp.02		Select one-or-more: at random; at {{ insert: param, sr-10_odp.03 }} ; upon {{ insert: param, sr-10_odp.04 }}
sr-10_odp.03	frequency	frequency at which to inspect systems or system components is defined (if selected);
sr-10_odp.04	indications of need for inspection	indications of the need for an inspection of systems or system components are defined (if selected);

—

SR-11

Component Authenticity 3 params

a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and b. Report counterfeit system co...

► View parameters

Param ID	Label	Constraint / Choices
sr-11_odp.01		Select one-or-more: source of counterfeit component; {{ insert: param, sr-11_odp.02 }} ; {{ insert: param, sr-11_odp.03 }}
sr-11_odp.02	external reporting organizations	external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);
sr-11_odp.03	personnel or roles	personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);

—

SR-11(01)

Anti-counterfeit Training 1 param

Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware).

► View parameters

Param ID	Label	Constraint / Choices
sr-11.01_odp	personnel or roles	personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firm...

—

SR-11(02)

Configuration Control for Component Service and Repair 1 param

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-11.02_odp	system components	system components requiring configuration control are defined;

—

SR-11(03)

Anti-counterfeit Scanning 1 param

Scan for counterfeit system components {{ insert: param, sr-11.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-11.03_odp	frequency	the frequency at which to scan for counterfeit system components is defined;

—

└ sr-11a

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the ...

—

└ sr-11b

Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}.

—

SR-12

Component Disposal 2 params

Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sr-12_odp.01	data, documentation, tools, or system components	data, documentation, tools, or system components to be disposed of are defined;
sr-12_odp.02	techniques and methods	techniques and methods for disposing of data, documentation, tools, or system components are defined;

—

└ sr-1a

Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:

—

└ sr-1a.1

{{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:

—

└ sr-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ sr-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ sr-1a.2

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

—

└ sr-1b

Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management poli...

—

└ sr-1c

Review and update the current supply chain risk management:

—

└ sr-1c.1

Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and

—

└ sr-1c.2

Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}.

—

└ sr-2a

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integrat...

—

└ sr-2b

Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or envi...

—

└ sr-2c

Protect the supply chain risk management plan from unauthorized disclosure and modification.

—

└ sr-3a

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param,...

—

└ sr-3b

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or con...

—

└ sr-3c

Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}.

—