PM-30 Supply Chain Risk Management Strategy

Baselines

Guidance

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see SR-2 ) is implemented at the system level.

References 11

• PRIVACT Privacy Act (P.L. 93-579), December 1974.
• FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
• EO 13873 Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019.
• 41 CFR 201 "Federal Acquisition Supply Chain Security Act; Rule," 85 Federal Register 54263 (September 1, 2020), pp 54263-54271.
• OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
• OMB M-17-06 Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services* , November 2016.
• CNSSD 505 Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017.
• ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014.
• ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018.
• SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
• IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.

Control Enhancements 1

• PM-30(01) Suppliers of Critical or Mission-essential Items L M H P

Related controls 12

• CM-10 Software Usage Restrictions L M H P
• PM-09 Risk Management Strategy L M H P
• SR-01 Policy and Procedures L M H P
• SR-02 Supply Chain Risk Management Plan L M H P
• SR-03 Supply Chain Controls and Processes L M H P
• SR-04 Provenance L M H P
• SR-05 Acquisition Strategies, Tools, and Methods L M H P
• SR-06 Supplier Assessments and Reviews L M H P
• SR-07 Supply Chain Operations Security L M H P
• SR-08 Notification Agreements L M H P
• SR-09 Tamper Resistance and Detection L M H P
• SR-11 Component Authenticity L M H P