CMMC Requirement RA.L3-3.11.6E – Supply Chain Risk Response: Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.
Links to Publicly Available Resources – Coming Soon
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This NIST Special Publication provides guidance for conducting risk assessments.
Supply chain events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on a system and its information and, therefore, can also adversely impact organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.
[NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk analyses. [NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
Further Discussion
Organizations will have varying policies, definitions, and actions for this requirement. It is important for a single organization to be consistent and to build a process that makes sense for their organization, strategy, unique supply chain, and the technologies available to them.