NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-7 — Supply Chain Operations Security
Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: {{ insert: param, sr-07_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services.
Practitioner Notes
Apply operations security (OPSEC) to your supply chain activities — protect information about your procurement, security tools, and technology choices from adversaries.
Example 1: Do not publicly disclose which specific security products you use, who your vendors are, or your procurement timeline in job postings, social media, or conference presentations. An adversary who knows your exact security stack can target its weaknesses.
Example 2: Use non-disclosure agreements (NDAs) with all vendors and require them to protect information about your security architecture and procurement. A vendor who publicly lists you as a customer reveals information about your technology stack to potential attackers.