NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-30(1)Suppliers of Critical or Mission-essential Items

Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The identification and prioritization of suppliers of critical or mission-essential technologies, products, and services is paramount to the mission/business success of organizations. The assessment of suppliers is conducted using supplier reviews (see [SR-6](#sr-6) ) and supply chain risk assessment processes (see [RA-3(1)](#ra-3.1) ). An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

Practitioner Notes

This enhancement focuses specifically on vendors who supply critical or mission-essential items — components, software, or services without which your operations would stop. These suppliers need the most scrutiny.

Example 1: Identify your single-source suppliers and components that have no viable alternatives. For each one, develop a contingency plan: an alternate supplier, a stockpile of spare parts, or an internal capability to replicate the function if the supplier is compromised or unavailable.

Example 2: Require critical suppliers to provide a Software Bill of Materials (SBOM) for any software they deliver. Review the SBOM for known vulnerabilities using tools like OWASP Dependency-Check or Snyk, and include SBOM requirements in your procurement contracts.

More Program Management Controls

PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process