NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT

SR-3(3)Sub-tier Flow Down

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the "flow down" of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in [SR-3b](#sr-3_smt.b).

Practitioner Notes

Ensure your supply chain security requirements flow down to sub-tier suppliers — your vendor's vendors need to meet security standards too.

Example 1: Include clauses in your vendor contracts that require them to impose equivalent security requirements on their own subcontractors. If your cloud provider uses a third-party data center, that data center must meet the same security standards you require of the cloud provider.

Example 2: Request your vendors' subcontractor lists and verify that critical sub-tier suppliers have adequate security certifications (SOC 2, ISO 27001, FedRAMP). A weak link in the sub-tier supply chain can compromise your security regardless of how secure your direct vendor is.

More Supply Chain Risk Management Controls

SR-1 Policy and Procedures SR-2 Supply Chain Risk Management Plan SR-2(1) Establish SCRM Team SR-3 Supply Chain Controls and Processes