STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

SR-3

Supply Chain Risk ManagementRev 5organization

Supply Chain Controls and Processes

Baselines:LowModerateHigh

Control Statement

a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: system or system component] in coordination with [Assignment: supply chain personnel]; b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: supply chain controls] ; and c. Document the selected and implemented supply chain processes and controls in [Selection: organization-defined value].

Supplemental Guidance

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

Related Controls (23)

CA-2MA-2MA-6PE-3PE-16PL-8PM-30SA-2SA-3SA-4SA-5SA-8SA-9SA-10SA-15SC-7SC-29SC-30SC-38SI-7SR-6

CCI Identifiers (11)

CCI-005080Establish a process of processes to identify and address weaknesses or deficiencies in the supply chain elements of organization-defined system or system components in coordination with organization-defined supply chain personnel.CCI-005086Employ the following controls to protect against supply chain risks to the system, system component, or system service.CCI-005087Limit the harm or consequences from supply chain-related events.CCI-005088Defines the supply chain controls employed for protecting against supply chain risks to the system, system component, or system service.CCI-005089Document the selected and implemented supply chain processes and controls in security and privacy plans, supply chain risk management plan, or organization-defined document.CCI-005090Defines the document which contains supply chain processes and controls.CCI-005081Defines the system or system processes which establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain elements.CCI-005082

Linked STIG Checks (0)

No STIG checks reference this control.

SR-9
SR-11
Defines the supply chain personnel who, in coordination, establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain elements.
CCI-005083Establish a process of processes to identify and address weaknesses or deficiencies in the processes of organization-defined system or system components in coordination with organization-defined supply chain personnel.
CCI-005084Defines the system or system processes which establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain processes.
CCI-005085Defines the supply chain personnel who, in coordination, establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain processes.