SR-07 Supply Chain Operations Security
Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: sr-07_odp.
| Parameter ID | Definition |
|---|---|
| sr-07_odp | OPSEC controls |
Baselines
- L
- M
- H
- P
Guidance
Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services.
References 5
- EO 13873 Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019.
- SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
- ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014.
- SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
- IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
Related controls 1
- SC-38 Operations Security L M H P