The SCF SCRM (Supply Chain Risk Management) domain provides controls for identifying, assessing, and managing cybersecurity risks introduced through suppliers, vendors, and third-party components. SCRM controls address vendor risk assessments, contractual security requirements, Software Bill of Materials (SBOM) management, hardware and firmware integrity, and supply chain incident response. The domain maps to NIST SP 800-161 Rev. 1, EO 14028, and CISA software supply chain guidance.
The SCF SCRM domain addresses both traditional vendor and Third-Party Risk Management and the more specific requirements of Cyber Supply Chain Risk Management (C-SCRM) for technology components.
Key control areas include: supplier identification and tiering (categorizing suppliers by their access to systems, data, and critical functions); vendor risk assessment and due diligence requirements; contractual security flow-down requirements; Software Bill of Materials (SBOM) generation, review, and management; hardware integrity verification for critical components, particularly in OT and ICS environments; software supply chain security including secure development requirements and composition analysis; supply chain incident response and contingency planning; and ongoing monitoring and periodic re-assessment of supplier risk posture.
The SCRM domain maps to: NIST SP 800-161 Rev. 1 (the primary C-SCRM standard for federal and critical infrastructure organizations); Executive Order 14028 on Improving the Nation's Cybersecurity, which mandated SBOM requirements for federal software; CISA's software supply chain security guidance; the NIST SSDF (Secure Software Development Framework, NIST SP 800-218); and applicable CMMC and FedRAMP requirements for organizations serving the federal market.
Using the SCF SCRM domain provides a single control set addressing multiple framework requirements, reducing the cost of maintaining parallel compliance programs.
Keep Exploring
References