Skip to main content

RSK-09: Supply Chain Risk Management (SCRM) Plan

RSK 10 — Critical Identify

Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.

Control Question: Does the organization develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans?

General (43)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC3.1 CC3.2 CC3.2-POF7 CC3.2-POF8 CC4.1 CC9.2 CC9.2-POF1 CC9.2-POF10 CC9.2-POF11 CC9.2-POF12 CC9.2-POF2 CC9.2-POF3 CC9.2-POF4 CC9.2-POF7 CC9.2-POF8 CC9.2-POF9
CIS CSC 8.1 15.2
CIS CSC 8.1 IG2 15.2
CIS CSC 8.1 IG3 15.2
COBIT 2019 APO12.01 APO12.02 APO12.03 APO12.04
COSO 2017 Principle 6 Principle 7 Principle 16
CSA CCM 4 STA-02 STA-03 STA-07 STA-08 STA-12 STA-13
CSA IoT SCF 2 SDV-02
IMO Maritime Cyber Risk Management 3.5.3.8
ISO 27002 2022 5.21 8.30
ISO 31000 2009 5.1 5.2 5.3
ISO 31010 2009 4.3.3
ISO 42001 2023 A.10 A.10.2 A.10.3
NIST AI 100-1 (AI RMF) 1.0 MANAGE 3.0
NIST Privacy Framework 1.0 ID.DE-P2 ID.DE-P3
NIST 800-39 3.1
NIST 800-53 R4 SA-12
NIST 800-53 R4 (high) SA-12
NIST 800-53 R5 (source) PM-29 PM-30 SA-9(3) SR-2 SR-7
NIST 800-53B R5 (low) (source) SR-2
NIST 800-53B R5 (moderate) (source) SR-2
NIST 800-53B R5 (high) (source) SR-2
NIST 800-53 R5 (NOC) (source) PM-29 PM-30 SA-9(3) SR-7
NIST 800-82 R3 LOW OT Overlay SR-2
NIST 800-82 R3 MODERATE OT Overlay SR-2
NIST 800-82 R3 HIGH OT Overlay SR-2
NIST 800-161 R1 PM-29 PM-30 SA-9(3) SR-2 SR-7
NIST 800-161 R1 C-SCRM Baseline SR-2
NIST 800-161 R1 Level 1 PM-29 PM-30
NIST 800-161 R1 Level 2 PM-30 SR-7
NIST 800-161 R1 Level 3 SR-2 SR-7
NIST 800-171 R3 (source) 03.11.01.a 03.17.01.a 03.17.01.b 03.17.03.a 03.17.03.b
NIST 800-171A R3 (source) A.03.11.01.a A.03.17.01.ODP[01] A.03.17.01.a[01] A.03.17.01.a[02] A.03.17.01.a[03] A.03.17.01.a[04] A.03.17.01.a[05] A.03.17.01.a[06] A.03.17.01.a[07] A.03.17.01.a[08] A.03.17.01.a[09] A.03.17.01.a[10] A.03.17.01.b[01] A.03.17.01.b[02] A.03.17.01.c A.03.17.03.ODP[01] A.03.17.03.a[01] A.03.17.03.a[02] A.03.17.03.b
NIST 800-172 3.11.6e 3.11.7e
NIST CSF 2.0 (source) GV.SC GV.SC-01 GV.SC-03 GV.SC-05 GV.SC-09 GV.SC-10 ID ID.IM ID.RA PR
SPARTA CM0026
UN R155 7.2.2.5
UN ECE WP.29 7.2.2.5
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) RSK-09
SCF CORE ESP Level 1 Foundational RSK-09
SCF CORE ESP Level 2 Critical Infrastructure RSK-09
SCF CORE ESP Level 3 Advanced Threats RSK-09
SCF CORE AI Model Deployment RSK-09
US (16)
Framework Mapping Values
US C2M2 2.1 THIRD-PARTIES-1.C.MIL2
US CMMC 2.0 Level 3 (source) RA.L3-3.11.6E RA.L3-3.11.7E
US DoD Zero Trust Execution Roadmap 3.3
US DHS CISA TIC 3.0 3 UNL.SCRMA
US FedRAMP R5 (source) SR-2
US FedRAMP R5 (low) (source) SR-2
US FedRAMP R5 (moderate) (source) SR-2
US FedRAMP R5 (high) (source) SR-2
US FedRAMP R5 (LI-SaaS) (source) SR-2
US HIPAA HICP Small Practice 5.S.B
US HIPAA HICP Medium Practice 5.M.B
US HIPAA HICP Large Practice 5.M.B 9.L.C
US IRS 1075 SR-2
US NERC CIP 2024 (source) CIP-013-2 R1 CIP-013-2 R2 CIP-013-2 R3
US SEC Cybersecurity Rule 17 CFR 229.106(b)(1)(iii)
US - TX DIR Control Standards 2.0 SR-2
EMEA (10)
Framework Mapping Values
EMEA EU AI Act 17.1(l)
EMEA EU DORA 28.1 28.1(a) 28.1(b) 28.1(b)(i) 28.1(b)(ii) 28.2 28.3 28.4 28.4(a) 28.4(b) 28.4(c) 28.4(d) 28.4(e) 28.5 28.6 28.7(a) 28.7(b) 28.7(c) 28.7(d) 28.8 28.8(a) 28.8(b) 28.8(c)
EMEA EU NIS2 21.2(d) 21.3
EMEA EU NIS2 Annex 5.1.1 5.1.5 5.1.6
EMEA Germany C5 2020 OIS-07
EMEA Israel CDMO 1.0 16.3 17.3 17.11
EMEA Saudi Arabia ECC-1 2018 1-5-3-3
EMEA UK CAF 4.0 A4 A4.a
EMEA UK CAP 1850 A4
EMEA UK DEFSTAN 05-138 1400
APAC (4)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0731 ISM-1567 ISM-1785
APAC Japan ISMAP 15.1.1.16.B 15.1.2.18.PB
APAC New Zealand NZISM 3.6 2.2.7.C.01 12.7.14.C.01 12.7.14.C.02 12.7.14.C.03 12.7.15.C.01 12.7.15.C.02 12.7.16.C.01 12.7.16.C.02 12.7.16.C.03 12.7.17.C.01 12.7.18.C.01 12.7.18.C.02 12.7.19.C.01 12.7.19.C.02 12.7.20.C.01 12.7.20.C.02 12.7.20.C.03 12.7.20.C.04 12.7.20.C.05 12.7.21.C.01
APAC Singapore MAS TRM 2021 5.3.1
Americas (2)
Framework Mapping Values
Americas Canada CSAG 2.3 4.25
Americas Canada ITSP-10-171 03.11.01.A 03.17.01.A 03.17.01.B 03.17.03.A 03.17.03.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.

Level 2 — Planned & Tracked

Risk Management efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for risk management. o Implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.

  • Risk management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.
  • Data/process owners work with IT/cybersecurity personnel and Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.
  • IT/cybersecurity personnel:
  • Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined

Risk Management efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Analyzes the organization's business strategy to determine prioritized and authoritative guidance for Risk Management (RM) practices. o Develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for RM. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to RM. o Maintains a common taxonomy of risk-relevant terminology to minimize assumptions and misunderstandings. o Enables data/process owners to conduct annual risk assessment of their operations that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data. o Assists users in making informed risk decisions to ensure data and processes are appropriately protected. o Enables the documentation of risk assessments, risk response and risk monitoring to support statutory, regulatory and contractual obligations for risk management practices. o Maintains a centralized risk register to reflect an active recording and disposition of identified risks. The risk register identifies and assigns a risk ranking to vulnerabilities and risks that is based on industry-recognized practices and facilitates monitoring and reporting of those risks. o Governs supply chain risks associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS).

  • A formal Risk Management Program (RMP) provides enterprise-wide guidance on how risk is to be identified, framed (e.g., risk appetite, risk tolerance, risk thresholds, etc.) assessed, mitigated/remediated and reported.
  • Criteria to define materiality for risk management decisions is defined.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including appropriately resourcing risk management operations.
  • A formally-documented Cybersecurity Supply Chain Risk Management (C-SCRM) plan exists to identify, assess and mitigate supply chain-related risks and threats;
  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns,
  • A Governance, Risk & Compliance (GRC) function, or similar function:
  • An IT Asset Management (ITAM) function, or similar function, categorizes assets according to the data the asset stores, transmits and/ or processes, applying the appropriate technology controls to protect the asset and data.
Level 4 — Quantitatively Controlled

Risk Management efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.

Assessment Objectives

  1. RSK-09_A01 an organization-wide strategy for managing supply chain risks is developed.
  2. RSK-09_A02 supply chain risks associated with organizational systems and system components are identified.
  3. RSK-09_A03 the supply chain risk management strategy is implemented consistently across the organization.
  4. RSK-09_A04 a plan for managing supply chain risks is developed.
  5. RSK-09_A05 security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events are defined.
  6. RSK-09_A06 the supply chain risk management strategy is reviewed / updated per an organization-defined frequency or as required to address organizational changes.
  7. RSK-09_A07 the frequency at which to review and update the supply chain risk management plan is defined.
  8. RSK-09_A08 the plan for managing supply chain risks is updated frequently.
  9. RSK-09_A09 the SCRM plan addresses risks associated with the research and development of the system, system components, or system services.
  10. RSK-09_A10 the SCRM plan addresses risks associated with the design of the system, system components, or system services.
  11. RSK-09_A11 the SCRM plan addresses risks associated with the manufacturing of the system, system components, or system services.
  12. RSK-09_A12 the SCRM plan addresses risks associated with the acquisition of the system, system components, or system services.
  13. RSK-09_A13 the SCRM plan addresses risks associated with the delivery of the system, system components, or system services.
  14. RSK-09_A14 the SCRM plan addresses risks associated with the integration of the system, system components, or system services.
  15. RSK-09_A15 the SCRM plan addresses risks associated with the operation of the system, system components, or system services.
  16. RSK-09_A16 the SCRM plan addresses risks associated with the maintenance of the system, system components, or system services.
  17. RSK-09_A17 the SCRM plan addresses risks associated with the disposal of the system, system components, or system services.
  18. RSK-09_A18 the SCRM plan is reviewed per an organization-defined frequency.
  19. RSK-09_A19 the SCRM plan is updated per an organization-defined frequency.
  20. RSK-09_A20 the SCRM plan is protected from unauthorized disclosure.
  21. RSK-09_A21 the supply chain risk management plan is protected from unauthorized modification.
  22. RSK-09_A22 Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component or system service are defined.
  23. RSK-09_A23 OPSEC controls are employed to protect supply chain-related information for the system, system component or system service.
  24. RSK-09_A24 the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of sensitive / regulated data is assessed.
  25. RSK-09_A25 a process for identifying weaknesses or deficiencies in the supply chain elements and processes is established.
  26. RSK-09_A26 organization-defined security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events.
  27. RSK-09_A27 a process for addressing weaknesses or deficiencies in the supply chain elements and processes is established.
  28. RSK-09_A28 the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI is assessed.
  29. RSK-09_A29 the SCRM plan is reviewed <A.03.17.01.ODP[01]: frequency>.
  30. RSK-09_A30 the SCRM plan is updated <A.03.17.01.ODP[01]: frequency>.
  31. RSK-09_A31 the following security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events: <A.03.17.03.ODP[01]: security requirements>.

Evidence Requirements

E-RSK-02 Supply Chain Risk Management (SCRM) Plan

Documented evidence of a Supply Chain Risk Management (SCRM) Plan. This is program-level documentation in the form of a playbook, concept of operations or a similar format provides guidance on organizational practices that support existing policies and standards.

Risk Management

Technology Recommendations

Micro/Small

  • Risk Management Program (RMP)
  • Cybersecurity Supply Chain Risk Management (C-SCRM) program
  • Supply Chain Risk Management (SCRM) Plan

Small

  • Risk Management Program (RMP)
  • Cybersecurity Supply Chain Risk Management (C-SCRM) program
  • Supply Chain Risk Management (SCRM) Plan

Medium

  • Risk Management Program (RMP)
  • Cybersecurity Supply Chain Risk Management (C-SCRM) program
  • Supply Chain Risk Management (SCRM) Plan

Large

  • Risk Management Program (RMP)
  • Cybersecurity Supply Chain Risk Management (C-SCRM) program
  • Supply Chain Risk Management (SCRM) Plan

Enterprise

  • Risk Management Program (RMP)
  • Cybersecurity Supply Chain Risk Management (C-SCRM) program
  • Supply Chain Risk Management (SCRM) Plan

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free