RA.L3-3.11.6e Supply Chain Risk Response
Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.
Source: NIST SP 800-172 3.11.6e
Discussion: Supply chain events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on a system and its information and, therefore, can also adversely impact organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required. [SP 800-30] provides guidance on risk assessments, threat assessments, and risk analyses. [SP 800-161] provides guidance on supply chain risk management.
Assessment Objectives:
Determine if:
- [a] Supply chain risks associated with organizational systems and system components are identified;
- [b] Supply chain risks associated with organizational systems and system components are assessed;
- [c] Supply chain risks associated with organizational systems and system components are responded to; and
- [d] Supply chain risks associated with organizational systems and system components are monitored.
Examine: [SELECT FROM: Risk assessment policy; procedures addressing organizational assessments of risk; security planning policy and procedures; supply chain risk management plan; security plan; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; threat intelligence information; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for information security; organizational personnel responsible for risk assessments; organizational personnel responsible for supply chain risk management].
Test: [SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing, disseminating, and updating risk assessments].
SPRS Score: 1
POA&M Allowed: No