SR-05 Acquisition Strategies, Tools, and Methods
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: sr-05_odp.
| Parameter ID | Definition |
|---|---|
| sr-05_odp | strategies, tools, and methods |
Baselines
- L
- M
- H
- P
Guidance
The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.
References 9
- FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
- 41 CFR 201 "Federal Acquisition Supply Chain Security Act; Rule," 85 Federal Register 54263 (September 1, 2020), pp 54263-54271.
- EO 13873 Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019.
- ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014.
- ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018.
- SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
- SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
- IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
- IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.
Control Enhancements 2
- SR-05(01) Adequate Supply L M H P
- SR-05(02) Assessments Prior to Selection, Acceptance, Modification, or Update L M H P
Related controls 13
- AT-03 Role-based Training L M H P
- SA-02 Allocation of Resources L M H P
- SA-03 System Development Life Cycle L M H P
- SA-04 Acquisition Process L M H P
- SA-05 System Documentation L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-09 External System Services L M H P
- SA-10 Developer Configuration Management L M H P
- SA-15 Development Process, Standards, and Tools L M H P
- SR-06 Supplier Assessments and Reviews L M H P
- SR-09 Tamper Resistance and Detection L M H P
- SR-10 Inspection of Systems or Components L M H P
- SR-11 Component Authenticity L M H P