Special Publication 800-161 Supply Chain Risk Management Practices for Federal
Information Systems and Organizations
________________________________________________________________________________________________________
APPENDIX B PAGE B-78
supply chain risk (e.g., requiring tamper-evident packaging of information system components during
shipping and warehousing). Related control: SA-19.
SA-12 (2) SUPPLY CHAIN PROTECTION | SUPPLIER REVIEWS [BACK TO SCRM CONTROL]
The organization conducts a supplier review prior to entering into a contractual agreement to
acquire the information system, system component, or information system service.
Supplemental Guidance: Supplier reviews include, for example: (i) analysis of supplier processes used to
design, develop, test, implement, verify, deliver, and support information systems, system components,
and information system services; and (ii) assessment of supplier training and experience in developing
systems, components, or services with the required security capability. These reviews provide
organizations with increased levels of visibility into supplier activities during the system development
life cycle to promote more effective supply chain risk management. Supplier reviews can also help to
determine whether primary suppliers have security safeguards in place and a practice for vetting
subordinate suppliers, for example, second- and third-tier suppliers, and any subcontractors.
SA-12 (5) SUPPLY CHAIN PROTECTION | LIMITATION OF HARM [BACK TO SCRM CONTROL]
The organization employs [Assignment: organization-defined security safeguards] to limit harm
from potential adversaries identifying and targeting the organizational supply chain.
Supplemental Guidance: Supply chain risk is part of the advanced persistent threat (APT). Security
safeguards and countermeasures to reduce the probability of adversaries successfully identifying and
targeting the supply chain include, for example: (i) avoiding the purchase of custom configurations to
reduce the risk of acquiring information systems, components, or products that have been corrupted via
supply chain actions targeted at specific organizations; (ii) employing a diverse set of suppliers to limit
the potential harm from any given supplier in the supply chain; (iii) employing approved vendor lists
with standing reputations in industry, and (iv) using procurement carve outs (i.e., exclusions to
commitments or obligations).
SA-12 (7) SUPPLY CHAIN PROTECTION | ASSESSMENTS PRIOR TO SELECTION /
ACCEPTANCE / UPDATE [BACK TO SCRM CONTROL]
The organization conducts an assessment of the information system, system component, or
information system service prior to selection, acceptance, or update.
Supplemental Guidance: Assessments include, for example, testing, evaluations, reviews, and analyses.
Independent, third-party entities or organizational personnel conduct assessments of systems,
components, products, tools, and services. Organizations conduct assessments to uncover unintentional
vulnerabilities and intentional vulnerabilities including, for example, malicious code, malicious
processes, defective software, and counterfeits. Assessments can include, for example, static analyses,
dynamic analyses, simulations, white, gray, and black box testing, fuzz testing, penetration testing, and
ensuring that components or services are genuine (e.g., using tags, cryptographic hash verifications, or
digital signatures). Evidence generated during security assessments is documented for follow-on
actions carried out by organizations. Related controls: CA-2, SA-11.
SA-12 (8) SUPPLY CHAIN PROTECTION | USE OF ALL-SOURCE INTELLIGENCE [BACK TO SCRM CONTROL]
The organization uses all-source intelligence analysis of suppliers and potential suppliers of the
information system, system component, or information system service.
Supplemental Guidance: All-source intelligence analysis is employed by organizations to inform
engineering, acquisition, and risk management decisions. All-source intelligence consists of
intelligence products and/or organizations and activities that incorporate all sources of information,
most frequently including human intelligence, imagery intelligence, measurement and signature
intelligence, signals intelligence, and open source data in the production of finished intelligence.
Where available, such information is used to analyze the risk of both intentional and unintentional
vulnerabilities from development, manufacturing, and delivery processes, people, and the environment.