>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-6Supplier Assessments and Reviews

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide organization-defined frequency.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SR-6 [at least annually]

Additional Requirements and Guidance

SR-6 Requirement: CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

>Discussion

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor.

Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

>Programmatic Queries

Beta

Related Services

AWS Artifact
AWS Audit Manager
AWS Config

CLI Commands

List available compliance reports in Artifact
aws artifact list-reports
List Audit Manager assessments
aws auditmanager list-assessments
Get assessment report for supplier review
aws auditmanager get-assessment --assessment-id ASSESSMENT_ID
List available Audit Manager frameworks
aws auditmanager list-assessment-frameworks --framework-type Standard
Open AWS ConsoleDocumentation

>Related Controls

SR-3
SR-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-6?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?
  • How do you evaluate and select suppliers based on security criteria?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?
  • What anti-counterfeit measures are in place?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you provide recent supplier security assessment reports?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.