CMMC Practice RM.4.148: Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
An organization relies heavily on products and solutions created by other entities. These solution sets can add risk to an organization’s overall cyber security posture. Organizations need to develop a plan for managing the supply chain risks associated with the IT supply chain. The scope of the plan is the IT suppliers for the networking, storage, and computing software, hardware, and services that support the storage, processing and transmission of CUI and are part of the CMMC assessment. This plan needs to be updated from time to time and verify that organization policies match the plan, and the organization follows this plan when obtaining solutions from this supply chain.