Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
An organization relies heavily on products and solutions created by other entities. These solution sets can add risk to an organization’s overall cyber security posture. Organizations need to develop a plan for managing the supply chain risks associated with the IT supply chain. The scope of the plan is the IT suppliers for the networking, storage, and computing software, hardware, and services that support the storage, processing and transmission of CUI and are part of the CMMC assessment. This plan needs to be updated from time to time and verify that organization policies match the plan, and the organization follows this plan when obtaining solutions from this supply chain. Example 1 The organization plans for managing supply chain risks with the IT supply chain, developing SCRM plan. As an example, the plan prohibits purchasing any products made in specific countries and requires that purchased items be tested in an offline environment prior to connecting them to the corporate network. Example 2 An organization wants to purchase new laptops for a special project that will contain CUI. The purchasing process follows the supply chain risk management plan written by the organization. The laptops are purchased from a trusted vendor. After delivery the systems are analyzed for tampering and the BIOS compared with the version provided by the vendor. Once the systems pass these checks, then all of their operating systems are re-installed to prevent any unwanted software from being on the systems prior to given them to users.
DRAFT NIST SP 800-171B The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. SCRM plans address requirements for developing trustworthy secure and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes. NIST SP 800-161 provides guidance on supply chain risk management.
NIST SP 800-53 Rev 4 SA-12
NIST CSF v1.1 ID.SC-1, ID.SC-2
CERT RMM v1.2 EC:SG3.SP1, EC:SG3.SP2
CMMC modification of Draft NIST SP 800-171B 3.11.7e