SR-3(2)—Supply Chain Controls and Processes | Limitation of Harm
IL5
IL6
>Control Description
Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: ⚙organization-defined controls.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations, employing approved vendor lists with standing reputations in industry, following pre-agreed maintenance schedules and update and patch delivery mechanisms, maintaining a contingency plan in case of a supply chain event, using procurement carve-outs that provide exclusions to commitments or obligations, using diverse delivery routes, and minimizing the time between purchase decisions and delivery.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What supply chain risk management policies address SR-3(2)?
- •Who is responsible for managing supply chain risks?
- •How do you assess and monitor risks from suppliers, vendors, and contractors?
- •How do you evaluate and select suppliers based on security criteria?
Technical Implementation:
- •What processes ensure that supply chain components meet security requirements?
- •How do you verify the authenticity and integrity of acquired components?
- •What controls prevent counterfeit or malicious components from entering your supply chain?
Evidence & Documentation:
- •Can you provide supply chain risk assessments?
- •What documentation demonstrates supplier compliance with security requirements?
- •Where do you maintain records of supplier assessments and component provenance?
- •Can you provide recent supplier security assessment reports?
Ask AI
Configure your API key to use AI features.