>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-2Supply Chain Risk Management Plan

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: organization-defined systems, system components, or system services;

b

Review and update the supply chain risk management plan organization-defined frequency or as required, to address threat, organizational or environmental changes; and

c

Protect the supply chain risk management plan from unauthorized disclosure and modification.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SR-2 (b) [at least annually]

>Discussion

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation.

Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications.

It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions. Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts.

Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities.

Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

>Programmatic Queries

Beta

Related Services

Amazon Inspector
AWS Config
AWS Systems Manager

CLI Commands

List software bill of materials findings
aws inspector2 list-findings --filter-criteria '{"findingType":[{"comparison":"EQUALS","value":"PACKAGE_VULNERABILITY"}]}'
List third-party package vulnerabilities
aws inspector2 list-findings --filter-criteria '{"title":[{"comparison":"PREFIX","value":"CVE"}]}' --max-results 20
Generate SBOM for ECR images
aws inspector2 list-findings --filter-criteria '{"resourceType":[{"comparison":"EQUALS","value":"AWS_ECR_CONTAINER_IMAGE"}]}'
List Inspector coverage for SBOM tracking
aws inspector2 list-coverage --filter-criteria '{"resourceType":[{"comparison":"EQUALS","value":"AWS_ECR_CONTAINER_IMAGE"}]}'
Open AWS ConsoleDocumentation

>Related Controls

CA-2
CP-4
IR-4
MA-2
MA-6
PE-16
PL-2
PM-9
PM-30
RA-3
RA-7
SA-8
SI-4

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-2?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?
  • What anti-counterfeit measures are in place?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.