>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-3Supply Chain Controls and Processes

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of organization-defined system or system component in coordination with organization-defined supply chain personnel;

b

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: organization-defined supply chain controls; and

c

Document the selected and implemented supply chain processes and controls in security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document].

>DoD Impact Level Requirements

Additional Requirements and Guidance

SR-3 Requirement: CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

>Discussion

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers.

Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

>Programmatic Queries

Beta

Related Services

Amazon ECR
AWS CodeArtifact
Amazon Inspector

CLI Commands

List ECR image scan findings
aws ecr describe-image-scan-findings --repository-name REPO_NAME --image-id imageTag=latest
List CodeArtifact repositories
aws codeartifact list-repositories
Get ECR repository scan configuration
aws ecr get-registry-scanning-configuration
List CodeArtifact packages and versions
aws codeartifact list-packages --domain DOMAIN_NAME --repository REPO_NAME
Open AWS ConsoleDocumentation

>Related Controls

CA-2
MA-2
MA-6
PE-3
PE-16
PL-8
PM-30
SA-2
SA-3
SA-4
SA-5
SA-8
SA-9
SA-10
SA-15
SC-7
SC-29
SC-30
SC-38
SI-7
SR-6
SR-9
SR-11

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-3?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.