NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-2(1) — Establish SCRM Team
Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.
Practitioner Notes
Establish a dedicated supply chain risk management team with members from across your organization — IT, security, procurement, legal, and operations.
Example 1: Form an SCRM team that includes your CISO or security lead, a procurement representative, a legal advisor, and a representative from each major business unit. Meet quarterly to review vendor risks, discuss emerging threats, and update the SCRM plan.
Example 2: Assign the SCRM team specific responsibilities: procurement evaluates vendor financial stability, IT security reviews vendor security practices, legal reviews contract terms for security and liability provisions, and operations assesses vendor service delivery reliability.