>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-3(1)Supply Chain Controls and Processes | Diverse Supply Base

IL5
IL6

>Control Description

Employ a diverse set of sources for the following system components and services: organization-defined system components and services.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event.

Organizations consider designing the system to include diverse materials and components.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-3(1)?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?
  • How do you evaluate and select suppliers based on security criteria?
  • What security requirements are imposed on system developers?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you provide recent supplier security assessment reports?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.