Supply Chain Risk Management Plan

Approach basics → §4.x

Roles and tooling that anchor the rest of the plan.

SCRM-team role (one-liner) * Role / team accountable for SCRM (e.g., 'Agency C-SCRM Office', 'Internal SCRM Working Group chaired by CISO + Procurement Lead', 'ISSO with quarterly review by ITRM committee').

SCRM Plan location * Where the SCRM Plan itself is maintained (typically alongside the SSP — e.g., 'eMASS package PKG-12345 SCRM annex', '/repo/compliance/scrm-plan.md').

Vendor risk-management system (one-liner) * Where vendor-risk-rating is conducted (e.g., 'Internal review + BitSight + SecurityScorecard', 'Archer Vendor Risk module', 'CISO-led annual vendor review with Procurement support').

SBOM processing tooling Tool that ingests and analyzes received SBOMs (e.g., 'OWASP Dependency-Track', 'Anchore Enterprise', 'Mend SCA + custom ingestion').

Methodology alignment — Select — NIST SP 800-161 r1 fully aligned NIST SP 800-161 r1 partial — major-vendor scope only NIST SP 800-161 r1 partial — software-supply-chain only Internal methodology (cross-walked to SP 800-161 r1) Not formally aligned

SCRM Plan (SR-2) → §4.x

How the SCRM Plan itself is governed.

SCRM Plan scope summary What the SCRM Plan covers (organizational responsibilities, in-scope suppliers / categories, risk methodology cross-reference to RA-3(1), incident protocols, plan revision schedule). Reference NIST SP 800-161 r1 Appendix B.

Plan-review cadence (SR-2 ODV) How often the SCRM Plan is reviewed and updated (typical: 'Annually + on significant change to supplier mix or threat environment'). SR-2 ODV.

Dedicated SCRM processes (SR-2(1)) Per SR-2(1) — establish a dedicated supply-chain risk-management team. Document team membership, charter, decision authority.

Supplier categories in scope

Hardware vendors (servers, network, endpoints) Software vendors (commercial off-the-shelf) Cloud-service providers Open-source software dependencies System-integration / development partners Maintenance / service vendors Subcontractors / second-tier suppliers Cryptographic-module vendors Logistics / shipping providers Logistics / cleared couriers

Supply Chain Controls and Processes (SR-3) → §4.x

Risk-mitigation processes applied across the supply chain.

Risk categories addressed

Counterfeit components Maliciously modified components Foreign-influence / foreign-ownership concerns Single-source / single-vendor supplier failure Quality / defect risk from supplier process Geopolitical disruption Embedded vulnerabilities (CVE / unpatched) Insider risk at supplier Subcontractor-tier opacity Section 889 prohibited equipment

Mitigation strategies

Source diversification (multiple suppliers per critical category) Trusted-supplier program (curated approved list) SBOM analysis pipeline Component testing on receipt Tamper-evident packaging requirements in contracts Tracked custody from manufacture FedRAMP / SOC 2 attestation requirements ICT-SCRM Task Force best-practices alignment Section 889 attestation collection

Information-sharing participation

CISA ICT-SCRM Task Force Defense Industrial Base (DIB) Cybersecurity Program Sector ISAC Inter-agency SCRM working groups Bilateral with key suppliers Open-source threat intel platforms (TIP)

Acquisition Strategies (SR-5) → §4.x

Selection of trustworthy suppliers.

Pre-award screening criteria

FedRAMP authorization (cloud) SOC 2 Type II report ISO 27001 certification CMMC certification (DoD) Vendor cyber-insurance + financial health Past performance review ICT-SCRM self-attestation (NIST SP 800-161 r1) Section 889 attestation Country-of-origin disclosure Foreign-ownership-control-and-influence (FOCI) disclosure

Evaluation methodology How candidate suppliers are evaluated. Scoring matrix, weight per criterion, decision authority. Reference NIST SP 800-161 r1 Appendix C.

Trusted-supplier list reference Where the approved-supplier / trusted-supplier list is maintained.

Source-diversity requirement When source-diversity (multiple suppliers per critical component class) is required vs allowed-single-source. Risk-acceptance pathway for unavoidable single-source dependencies.

Supplier Assessments and Reviews (SR-6) → §4.x

Ongoing supplier-risk monitoring.

Assessment inputs

Annual SOC 2 / FedRAMP report receipt Cybersecurity questionnaire (CAIQ / SIG) Third-party risk-rating service (BitSight / SecurityScorecard / Black Kite) Public-incident-disclosure tracking Financial-health monitoring M&A activity tracking Geopolitical-risk monitoring Vendor SBOM analysis Vulnerability-disclosure-program participation On-site assessment (high-risk suppliers)

Assessment cadence (SR-6 ODV) How often suppliers are reassessed. Tier-based (e.g., 'Critical suppliers: continuous + quarterly formal; high-risk: semi-annual; standard: annual').

Adverse-finding handling Workflow when a supplier assessment identifies elevated risk. Acceptable-risk pathway, mitigation requirements, exit / replacement consideration.

Critical-supplier register Who is on the critical-supplier register and why. Reference RA-9 criticality analysis.

Notification Agreements (SR-8) → §4.x

Contractual obligations for supplier disclosure.

Required notifications

Cybersecurity incidents affecting customer data / systems Vulnerabilities discovered in supplied products Personnel changes affecting customer-dedicated staff Subcontractor changes M&A activity affecting ownership Foreign-investment disclosures (CFIUS-relevant) Government investigations / subpoenas affecting customer data Supply-chain compromises (upstream from supplier)

Notification SLA Time-to-notify by event class. Common: 'Cyber incidents: 24-72h per CISA / DFARS guidelines'; 'Vulnerabilities: per coordinated disclosure timeline'.

Contract clause reference Pointer to the standard contract-clause language that imposes notification obligations.

Internal-routing of received notifications Where notifications received from suppliers are routed internally (typically: SOC + ISSO + IR team). Reference IR plan.

Component Inspection (SR-10) → §4.x

Inspection of components upon receipt.

Inspection triggers

Random sampling at receiving All-units inspection for critical components Tamper-evidence indicator on packaging Suspicious sourcing / unauthorized intermediary High-criticality classification (per RA-9 / SR-3) Indicator of compromise published for component class

Inspection methods

Visual inspection (physical tampering, label authenticity) Hash / digital-signature verification of firmware X-ray / non-destructive testing for embedded modifications Functional / performance testing JTAG / boundary-scan integrity testing Vendor-provided integrity attestation Supply-chain-provenance verification (in-toto / SLSA)

Failure-handling procedure What happens when inspection reveals a problem. Component quarantine, supplier escalation, IR activation. Coordination with CISA-DHS.

Authenticity and Anti-Counterfeit (SR-11) → §4.x

Protection against counterfeit components.

Anti-counterfeit practices

Genuine-source verification (SR-11(2)) — only authorized resellers Supplier authentication marks (holograms, watermarks) Serial-number registration with manufacturer Tamper-evident packaging requirements Component testing on receipt (SR-10) Anti-counterfeit training for personnel (SR-11(1)) GIDEP (Government-Industry Data Exchange) participation ERAI (Electronic Resellers Association International) reporting

Anti-counterfeit training program (SR-11(1)) Per SR-11(1) — training for personnel involved in receipt / inspection / disposal of components. Reference AT-3 role-based training.

Genuine-source verification (SR-11(2)) Per SR-11(2) — verifying components are obtained from authorized suppliers / authorized resellers. Maintaining the chain back to the OEM.

Suspected-counterfeit register reference Where suspected-counterfeit findings are recorded and tracked.

Component Disposal (SR-12) → §4.x

Lifecycle disposition of supply-chain components.

Disposal categories tracked

End-of-life replacement (vendor-driven) End-of-support replacement (SA-22) Decommissioning (system / service retirement) Failed-component RMA to vendor Legal / compliance (subpoena / discovery release) Donation / transfer (cleared organizations only)

Disposal procedures How disposal is executed. Coordination with MP-6 sanitization (for media-bearing components), PE-16 removal, vendor RMA workflow with required sanitization. Reference NIST SP 800-88 r1.

Chain-of-custody requirement Whether and when chain-of-custody documentation is required for disposal. Especially relevant for cryptographic-module-bearing components and classified-system components.

Supply-Chain Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Active suppliers Approximate count of active suppliers in scope of SR program.

Critical suppliers Approximate count of suppliers classified as critical (per SR-3 / RA-9).

Open-source dependencies tracked Approximate count of OSS components tracked through SBOM analysis.

Quarterly components received Approximate count of components received per quarter (anchors SR-10 inspection effort).

SCRM Metrics & KPIs → §6.x

Metrics tracked to demonstrate SR control effectiveness.

Tracked metrics

Add item

Suggested: + SCRM Plan currency (last review date) + Supplier-assessment completion rate (% of in-scope suppliers reassessed in cycle) + Vendor-incident notification timeliness (mean time received vs SLA) + Suspected-counterfeit detections per quarter + SBOM-receipt completeness rate (% of contracts with SBOM delivered) + SBOM-vulnerability-match findings per quarter + Single-source-component count (target: minimize) + Section 889 attestation currency rate + Vendor-EOL anticipation lead time (mean days notice received) + Trusted-supplier list currency (% reviewed in cycle) + Open POA&M items linked to SR controls

Vendor-Incident Notification Handling → §6.x

Continuous handling of supplier disclosures.

Intake channels

Vendor-managed customer portal Email distribution list (security-disclosure) API / automated feed Phone (legal team) TIP / SOAR ingestion

Triage role Who triages received vendor notifications (typically SOC dispatcher or IR analyst-on-call).

IR-handoff workflow How vendor-incident notifications become incidents in the IR plan workflow. Severity determination, escalation criteria.

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the SR control implementations are summarized (e.g., 'SSP §13.16').

POA&M ID prefix for SR findings Convention for SR-related POA&M items (e.g., 'POAM-SR-' for general).

RA handoff How RA-3(1) supply-chain risk assessment triggers SR program activity. How RA-9 criticality classification feeds SR-3 critical-supplier register.

SA handoff How SA-4 acquisition clauses contractually impose SR requirements; SA-9 external-services governance overlap with SR-3 / SR-5; SA-15(3) criticality echo with SR-3.

CM handoff How SR-10 inspection results feed CM-2 baseline integrity. Component-tampering finding triggers CM-4 / CM-5 review.

IR handoff How vendor-incident notifications become IR-plan events. How counterfeit-component detection escalates.

SI handoff How SR-supplied artifact authenticity (SBOM, signed packages, attestations) feeds SI-7 integrity verification.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying SR continuous-monitoring metrics to the broader ConMon plan.