Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: RM

Level Introduced: 4

Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.

CMMC Clarification:
An organization relies heavily on products and solutions created by other entities. These solution sets can add risk to an organization’s overall cyber security posture. Organizations need to develop a plan for managing the supply chain risks associated with the IT supply chain. The scope of the plan is the IT suppliers for the networking, storage, and computing software, hardware, and services that support the storage, processing and transmission of CUI and are part of the CMMC assessment. This plan needs to be updated from time to time and verify that organization policies match the plan, and the organization follows this plan when obtaining solutions from this supply chain.

Example 1
The organization plans for managing supply chain risks with the IT supply chain, developing SCRM plan. As an example, the plan prohibits purchasing any products made in specific countries and requires that purchased items be tested in an offline environment prior to connecting them to the corporate network.

Example 2
An organization wants to purchase new laptops for a special project that will contain CUI. The purchasing process follows the supply chain risk management plan written by the organization. The laptops are purchased from a trusted vendor. After delivery the systems are analyzed for tampering and the BIOS compared with the version provided by the vendor. Once the systems pass these checks, then all of their operating systems are re-installed to prevent any unwanted software from being on the systems prior to given them to users.


Develop and update a plan for managing supply chain risks associated with organizational systems and system components.

The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. SCRM plans address requirements for developing trustworthy, secure, and resilient systems and system components, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes.

[SP 800-161] provides guidance on supply chain risk management.

Source: NIST Special Publication 800-172 (Draft)



The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.

Supplemental Guidance:
Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02