PM 30 SUPPLY CHAIN RISK MANAGEMENT STRATEGY - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
• b. Implement the supply chain risk management strategy consistently across the organization; and
• c. Review and update the supply chain risk management strategy on [ Assignment: organization-defined frequency ] or as required, to address organizational changes.

Discussion: An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see SR-2) is implemented at the system level.

Related Controls: CM-10, PM-9, SR-1, SR-2, SR-3, SR-4, SR-5, SR-6, SR-7, SR-8, SR-9, SR-11.

Control Enhancements:

• (1) SUPPLY CHAIN RISK MANAGEMENT STRATEGY / SUPPLIERS OF CRITICAL OR MISSION-ESSENTIAL ITEMS
  Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.

  Discussion: The identification and prioritization of suppliers of critical or mission-essential technologies, products, and services is paramount to the mission/business success of organizations. The assessment of suppliers is conducted using supplier reviews (see SR-6) and supply chain risk assessment processes (see RA-3(1)). An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

  Related Controls: RA-3, SR-6.

References: [PRIVACT], [FASC18], [41 CFR 201], [EO 13873], [OMB A-130], [OMB M-17- 06 ] [ISO 27036 ], [ISO 20243], [ SP 800-161], [ IR 8272].