Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Supply chain risk management

Appendix 1.20 Supply chain risk management

The set of SR controls are largely aimed at the organization level and not directed at the information system. As such, they have no LIMSpec parallels and are not discussed in detail here. That said, NIST notes that supply chain risk management (SCRM) activities "include identifying and assessing risks" based on the organization's "dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers." SCRM activities also include "determining appropriate risk response actions [to supply chain risk], developing SCRM plans to document response actions, and monitoring performance against plans." The first control, SR-1, is included here. For more on these controls, consult pages 363–73 of NIST SP 800-53, Rev. 5.

SR-1 Policy and procedures

This control recommends the organization develop, document, disseminate, review, and update SCRM policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources: