CMMC Requirement RA.L3-3.11.6E – Supply Chain Risk Response: Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3. This library is a non-exhaustive list of free, voluntary resources and information on supply chain programs, rulemakings, and other activities from across the federal government. The resources provide a better understanding of the wide array of supply chain risk management (SCRM) efforts and activities underway or in place. ISO/IEC 27036 is a multi-part standard offering guidance on the management of information risks involved in the acquisition of ICT products (goods and services) from suppliers.
The standards avoid referring to selling and buying since the issues are much the same whether the transactions are commercial or not e.g. when one part of an organization or group acquires ICT products from another, or uses free/open-source products. This web page provides helpful links to key NIST resources and activities. NIST has collaborated with public and private sector stakeholders to research and develop C-SCRM tools and metrics, producing case studies and widely used guidelines on mitigation strategies. These multiple resources reflect the complex global marketplace and assist federal agencies, companies, and others in managing cybersecurity risks in supply chains that threaten their information systems and organizations. This guide provides cybersecurity supply chain risk management (C-SCRM) program management capabilities with considerations for creating due diligence supply chain risk assessments in accordance with NIST Special Publication (SP) 800-161 (Revision 1). It is a supplement to the content within SP 800-161r1 and is not intended to replace it. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This NIST Special Publication provides guidance for conducting risk assessments.
Supply chain events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on a system and its information and, therefore, can also adversely impact organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.
[NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk analyses. [NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
Further Discussion
Organizations will have varying policies, definitions, and actions for this requirement. It is important for a single organization to be consistent and to build a process that makes sense for their organization, strategy, unique supply chain, and the technologies available to them.