SR - Supply Chain Risk Management

  • Controls Count: 1
  • Controls IDs: SR-6

Controls

SR-6: Supplier Assessments and Reviews

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;.

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;.

Supply chain risk management policy and procedures

supply chain risk management strategy

supply chain risk management plan

system and services acquisition policy

procedures addressing supply chain protection

procedures addressing the integration of information security requirements into the acquisition process

records of supplier due diligence reviews

system security plan

other relevant documents or records

Organizational personnel with system and services acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel with supply chain protection responsibilities

Organizational processes for conducting supplier reviews

mechanisms supporting and/or implementing supplier reviews