CMMC v2.11 Practices

RA.L3-3.11.6e  

Reference: CMMC v2.11

Family: RA

Level Introduced: 3

Title: Supply Chain Risk Response

Practice:
Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.

Further Discussion:
Organizations will have varying policies, definitions, and actions for this requirement. It is important for a single organization to be consistent and to build a process that makes sense for their organization, strategy, unique supply chain, and the technologies available to them.

Example
You are responsible for information security in your organization, which holds and processes CUI. One of your responsibilities is to manage risk associated with your supply chain that may provide an entry point for the adversary. First, you acquire threat information by subscribing to reports that identify supply chain attacks in enough detail that you are able to identify the risk points in your organization’s supply chain [a]. You create an organization-defined prioritized list of risks the organization may encounter and determine the responses to be implemented to mitigate those risks [b,c].

In addition to incident information, the intelligence provider also makes recommendations for monitoring and auditing your supply chain. You assess, integrate, correlate, and analyze this information so you can use it to acquire monitoring tools to help identify supply chain events that could be an indicator of an incident. This monitoring tool provides visibility of the entire attack surface, including your vendors’ security posture [d]. Second, you analyze the incident information in the intelligence report to help identify defensive tools that will help respond to each of those known supply chain attack techniques as soon as possible after such an incident is detected, thus mitigating risk associated with known techniques.

Potential Assessment Considerations
• Has the organization prioritized risks to the supply chain [a,b]?
• Does the organization have viable service-level agreements that describe and enable responses to supply chain incidents [c,d]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11