NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT

SR-6(1) — Testing and Analysis

Employ {{ insert: param, sr-06.01_odp.01 }} of the following supply chain elements, processes, and actors associated with the system, system component, or system service: {{ insert: param, sr-06.01_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Relationships between entities and procedures within the supply chain, including development and delivery, are considered. Supply chain elements include organizations, entities, or tools that are used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems, system components, or system services. Supply chain processes include supply chain risk management programs; SCRM strategies and implementation plans; personnel and physical security programs; hardware, software, and firmware development processes; configuration management tools, techniques, and measures to maintain provenance; shipping and handling procedures; and programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated and collected during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions.

Practitioner Notes

Test and analyze supplier-provided components to verify they function as expected and do not contain hidden functionality.

Example 1: Before deploying new hardware (especially from overseas manufacturers), conduct functional testing to verify the equipment operates according to specifications. Check firmware versions against known-good baselines and scan for unauthorized network communications.

Example 2: For software, run static and dynamic analysis tools (SonarQube, Checkmarx) on vendor-provided code or components before integrating them into your applications. Check for backdoors, hardcoded credentials, and suspicious network connections.