SR-3(3)—Supply Chain Controls and Processes | Sub-tier Flow Down
IL5
IL6
>Control Description
Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the flow down of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in SR-3b.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What supply chain risk management policies address SR-3(3)?
- •Who is responsible for managing supply chain risks?
- •How do you assess and monitor risks from suppliers, vendors, and contractors?
Technical Implementation:
- •What processes ensure that supply chain components meet security requirements?
- •How do you verify the authenticity and integrity of acquired components?
- •What controls prevent counterfeit or malicious components from entering your supply chain?
Evidence & Documentation:
- •Can you provide supply chain risk assessments?
- •What documentation demonstrates supplier compliance with security requirements?
- •Where do you maintain records of supplier assessments and component provenance?
Ask AI
Configure your API key to use AI features.