NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT

SR-3(1)Diverse Supply Base

Employ a diverse set of sources for the following system components and services: {{ insert: param, sr-3.1_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event. Organizations consider designing the system to include diverse materials and components.

Practitioner Notes

Maintain a diverse supply base so you are not dependent on a single supplier for critical products or services. If one supplier is compromised, you need alternatives.

Example 1: Identify your single-source dependencies — products or services where only one vendor can supply them. For each, identify at least one alternative supplier that has been vetted and can be activated if the primary supplier fails or is compromised.

Example 2: For cloud services, architect your applications to be portable between providers. Avoid deep lock-in to a single cloud vendor's proprietary services. Use containers and infrastructure-as-code so you can redeploy to a different provider if needed.

More Supply Chain Risk Management Controls

SR-1 Policy and Procedures SR-2 Supply Chain Risk Management Plan SR-2(1) Establish SCRM Team SR-3 Supply Chain Controls and Processes