Requirement text: RM.4.148: Develop and update as required, a plan for managing supply chain risks
associated with the IT supply chain.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
The growing dependence on products, systems, and services from external providers, along
with the nature of the relationships with those providers, present an increasing level of risk
to an organization. Threat actions that may increase risk include the insertion or use of
counterfeits, unauthorized production, tampering, theft, insertion of malicious software and
hardware, as well as poor manufacturing and development practices in the supply chain.
Supply chain risks can be endemic or systemic within a system element or component, a
system, an organization, a sector, or the Nation. Managing supply chain risk is a complex,
multifaceted undertaking requiring a coordinated effort across an organization building
trust relationships and communicating with both internal and external stakeholders. Supply
chain risk management (SCRM) activities involve identifying and assessing risks,
determining appropriate mitigating actions, developing SCRM plans to document selected
mitigating actions, and monitoring performance against plans. SCRM plans address
requirements for developing trustworthy secure and resilient system components and
systems, including the application of the security design principles implemented as part of
life cycle-based systems security engineering processes. NIST SP 800-161 provides guidance
on supply chain risk management.
CMMC CLARIFICATION
An organization relies heavily on products and solutions created by other entities. These
solution sets can add risk to an organization’s overall cyber security posture. Organizations
need to develop a plan for managing the supply chain risks associated with the IT supply
chain. The scope of the plan is the IT suppliers for the networking, storage, and computing
software, hardware, and services that support the storage, processing and transmission of
CUI and are part of the CMMC assessment. This plan needs to be updated from time to time
and verify that organization policies match the plan, and the organization follows this plan
when obtaining solutions from this supply chain.
Example 1
The organization plans for managing supply chain risks with the IT supply chain, developing
SCRM plan. As an example, the plan prohibits purchasing any products made in specific
countries and requires that purchased items be tested in an offline environment prior to
connecting them to the corporate network.
Example 2
An organization wants to purchase new laptops for a special project that will contain CUI.
The purchasing process follows the supply chain risk management plan written by the
organization. The laptops are purchased from a trusted vendor. After delivery the systems
are analyzed for tampering and the BIOS compared with the version provided by the vendor.
Once the systems pass these checks, then all of their operating systems are re-installed to
prevent any unwanted software from being on the systems prior to given them to users.
References
• CMMC modification of Draft NIST SP 800-171B 3.11.7e
• NIST CSF v1.1 ID.SC-1, ID.SC-2
• CERT RMM v1.2 EC:SG3.SP1, EC:SG3.SP2
• NIST SP 800-53 Rev 4 SA-12