>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-2(1)Supply Chain Risk Management Plan | Establish SCRM Team

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Establish a supply chain risk management team consisting of organization-defined personnel, roles, and responsibilities to lead and support the following SCRM activities: organization-defined supply chain risk management activities.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions.

Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

>Programmatic Queries

Beta

Related Services

AWS Artifact
AWS Compliance Hub
AWS Organizations

CLI Commands

List SCRM team IAM roles and permissions
aws iam list-roles --query 'Roles[?RoleName==`SCRM-Team-Role`]'
Get compliance assessment reports
aws artifact describe-report --report-arn arn:aws:artifact:us-east-1:account-id:report/compliance
Create SCRM team access policy
aws iam create-policy --policy-name SCRM-Team-Policy --policy-document file://scrm-policy.json
List organization SCPs for supply chain controls
aws organizations list-policies --filter SERVICE_CONTROL_POLICY
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-2(1)?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?

Ask AI

Configure your API key to use AI features.