NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT

SR-3(2)Limitation of Harm

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: {{ insert: param, sr-03.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations, employing approved vendor lists with standing reputations in industry, following pre-agreed maintenance schedules and update and patch delivery mechanisms, maintaining a contingency plan in case of a supply chain event, using procurement carve-outs that provide exclusions to commitments or obligations, using diverse delivery routes, and minimizing the time between purchase decisions and delivery.

Practitioner Notes

Limit the potential harm from a supply chain compromise by reducing your exposure to any single supplier or component.

Example 1: Segment your network so that vendor-supplied systems and services run in isolated zones. If a vendor's software is compromised (like the SolarWinds incident), the blast radius is limited to the segment where the vendor's tools operate.

Example 2: Limit the permissions granted to vendor software and service accounts to the minimum needed. A vendor's monitoring tool does not need domain admin access. Apply least privilege to reduce the impact if the vendor's product is compromised.

More Supply Chain Risk Management Controls

SR-1 Policy and Procedures SR-2 Supply Chain Risk Management Plan SR-2(1) Establish SCRM Team SR-3 Supply Chain Controls and Processes