NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-30 — Supply Chain Risk Management Strategy
Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; Implement the supply chain risk management strategy consistently across the organization; and Review and update the supply chain risk management strategy on {{ insert: param, pm-30_odp }} or as required, to address organizational changes.
Supplemental Guidance
An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see [SR-2](#sr-2) ) is implemented at the system level.
Practitioner Notes
Supply chain risk management (SCRM) means understanding and managing the risks that come from your suppliers, vendors, and service providers. A compromised vendor can become your organization's biggest vulnerability.
Example 1: Write an SCRM strategy that defines how you evaluate vendors before signing contracts (security questionnaires, SOC 2 reports, penetration test results), how you monitor them during the relationship, and how you handle a vendor security incident. Apply more scrutiny to vendors with access to sensitive data.
Example 2: Maintain a vendor risk register that categorizes each supplier by criticality (how dependent are you on them) and risk (what data or systems they can access). Use a vendor risk management platform or a structured spreadsheet to track each vendor's compliance status, contract renewal dates, and last assessment.