SR-03 Supply Chain Controls and Processes

Baselines

Guidance

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

References 7

• FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
• 41 CFR 201 "Federal Acquisition Supply Chain Security Act; Rule," 85 Federal Register 54263 (September 1, 2020), pp 54263-54271.
• EO 13873 Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019.
• ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018.
• SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
• SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
• IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.

Control Enhancements 3

• SR-03(01) Diverse Supply Base L M H P
• SR-03(02) Limitation of Harm L M H P
• SR-03(03) Sub-tier Flow Down L M H P

Related controls 23

• CA-02 Control Assessments L M H P
• MA-02 Controlled Maintenance L M H P
• MA-06 Timely Maintenance L M H P
• PE-03 Physical Access Control L M H P
• PE-16 Delivery and Removal L M H P
• PL-08 Security and Privacy Architectures L M H P
• PM-30 Supply Chain Risk Management Strategy L M H P
• SA-02 Allocation of Resources L M H P
• SA-03 System Development Life Cycle L M H P
• SA-04 Acquisition Process L M H P
• SA-05 System Documentation L M H P
• SA-08 Security and Privacy Engineering Principles L M H P
• SA-09 External System Services L M H P
• SA-10 Developer Configuration Management L M H P
• SA-15 Development Process, Standards, and Tools L M H P
• SC-07 Boundary Protection L M H P
• SC-29 Heterogeneity L M H P
• SC-30 Concealment and Misdirection L M H P
• SC-38 Operations Security L M H P
• SI-07 Software, Firmware, and Information Integrity L M H P
• SR-06 Supplier Assessments and Reviews L M H P
• SR-09 Tamper Resistance and Detection L M H P
• SR-11 Component Authenticity L M H P