Supply Chain Risk Management (SCRM)

Supply Chain Risk Management is the discipline of identifying, assessing, and mitigating cybersecurity risks introduced through your vendors, suppliers, and service providers. Your security is only as strong as the weakest link in your supply chain — a compromised vendor can provide an attacker with a path into your systems.

SCRM involves vetting vendors' security practices, including cybersecurity requirements in contracts, monitoring vendor security posture, and having contingency plans if a vendor is compromised. The SolarWinds attack demonstrated how devastating supply chain compromises can be.

Why It Matters

CMMC includes supply chain risk management requirements, and the DoD increasingly scrutinizes contractor supply chains. Understanding and managing the cybersecurity risks your vendors introduce is both a compliance requirement and a practical business necessity.

Related Resources

NIST 800-53: PM-30
NIST 800-53: SR-1
NIST 800-53: SR-2
NIST 800-53: SR-2(1)
NIST 800-53: SR-3
NIST 800-53: SR-3(1)
NIST 800-53: SR-3(2)
NIST 800-53: SR-3(3)