NIST 800-53 REV 5 • RISK ASSESSMENT

RA-3(1) — Supply Chain Risk Assessment

Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

Practitioner Notes

A supply chain risk assessment evaluates the risks introduced by your vendors, suppliers, and service providers. Compromised supply chains are one of the most effective attack vectors adversaries use today.

Example 1: For each critical vendor, assess the risk they pose: what data do they access, what systems do they connect to, how strong is their security posture (request SOC 2 reports, penetration test results), and what would happen if they were breached? Document these assessments in your vendor risk register.

Example 2: Before selecting new software or hardware vendors, include a supply chain risk evaluation in the procurement process. Check CISA's Known Exploited Vulnerabilities catalog for the vendor's products, review their SBOM (Software Bill of Materials), and verify they are not on restricted entity lists.