NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-3 — Supply Chain Controls and Processes
Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }}; Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}.
Supplemental Guidance
Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.
Practitioner Notes
Implement controls and processes to manage supply chain risks — from selecting vendors to verifying the integrity of delivered products and services.
Example 1: Before purchasing software or hardware, require vendors to complete a security questionnaire covering their security practices, incident response capabilities, data handling procedures, and compliance certifications. Score the responses and only approve vendors that meet your minimum threshold.
Example 2: Verify the integrity of all software before deploying it. Download software only from official vendor sites, check SHA-256 hashes against published values, and verify digital signatures. Never install software downloaded from third-party sites or torrents.