Supply Chain Risk Management¶
Supply Chain Controls and Processes¶
SR-03
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
SR-03 - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
- a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel];
- b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and
- c. Document the selected and implemented supply chain processes and controls in [Selection: one or more of: security and privacy plans; supply chain risk management plan].
FedRAMP Guidance
CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.
Notification Agreements¶
SR-08
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
SR-08 - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection: one or more of: notification of supply chain compromises].
FedRAMP Guidance
Follow the FedRAMP Incident Evaluation and Communication rules.