Back to Control Explorer
RM.4.148
Content
Control Acronym
RM
Family
Risk Management
CMMC Level
4
800-171 Control #
N/A
CMMC Description
Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
CMMC Clarification
An organization relies heavily on products and solutions created by other entities. These solution sets can add risk to an organization’s overall cyber security posture. Organizations need to develop a plan for managing the supply chain risks associated with the IT supply chain. The scope of the plan is the IT suppliers for the networking, storage, and computing software, hardware, and services that support the storage, processing and transmission of CUI and are part of the CMMC assessment. This plan needs to be updated from time to time and verify that organization policies match the plan, and the organization follows this plan when obtaining solutions from this supply chain. Example 1 The organization plans for managing supply chain risks with the IT supply chain, developing SCRM plan. As an example, the plan prohibits purchasing any products made in specific countries and requires that purchased items be tested in an offline environment prior to connecting them to the corporate network. Example 2 An organization wants to purchase new laptops for a special project that will contain CUI. The purchasing process follows the supply chain risk management plan written by the organization. The laptops are purchased from a trusted vendor. After delivery the systems are analyzed for tampering and the BIOS compared with the version provided by the vendor. Once the systems pass these checks, then all of their operating systems are re-installed to prevent any unwanted software from being on the systems prior to given them to users.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
DRAFT NIST SP 800-171B The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. SCRM plans address requirements for developing trustworthy secure and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes. NIST SP 800-161 provides guidance on supply chain risk management.
CIS Control References
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SA-12
CMMC Derived
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 ID.SC-1, ID.SC-2
CERT RMM Reference
CERT RMM v1.2 EC:SG3.SP1, EC:SG3.SP2
Modification of NIST 800-171B Reference
CMMC modification of Draft NIST SP 800-171B 3.11.7e