SR-3(1)—Supply Chain Controls and Processes | Diverse Supply Base
IL5
IL6
>Control Description
Employ a diverse set of sources for the following system components and services: ⚙organization-defined system components and services.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event.
Organizations consider designing the system to include diverse materials and components.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What supply chain risk management policies address SR-3(1)?
- •Who is responsible for managing supply chain risks?
- •How do you assess and monitor risks from suppliers, vendors, and contractors?
- •How do you evaluate and select suppliers based on security criteria?
- •What security requirements are imposed on system developers?
Technical Implementation:
- •What processes ensure that supply chain components meet security requirements?
- •How do you verify the authenticity and integrity of acquired components?
- •What controls prevent counterfeit or malicious components from entering your supply chain?
- •How do you track and verify the provenance of system components?
Evidence & Documentation:
- •Can you provide supply chain risk assessments?
- •What documentation demonstrates supplier compliance with security requirements?
- •Where do you maintain records of supplier assessments and component provenance?
- •Can you provide recent supplier security assessment reports?
- •Can you show component inventory and validation records?
Ask AI
Configure your API key to use AI features.