CCI-003202

The organization defines security safeguards to employ to limit harm from potential adversaries identifying and targeting the organizational supply chain.

Implementation Guidance

The organization being inspected/assessed defines and documents security safeguards to employ to limit harm from potential adversaries identifying and targeting the organizational supply chain IAW DoDI 5200.44. Examples of security safeguards that the organization should consider implementing to limit the harm from potential adversaries targeting the organizational supply chain, are: 1. Using trusted physical delivery mechanisms that do not permit access to the element during delivery (ship via a protected carrier, use cleared/official couriers, or a diplomatic pouch); 2. Using trusted electronic delivery of products and services (require downloading from approved, verification-enhanced sites); 3. Avoiding the purchase of custom configurations, where feasible; 4. Using procurement carve outs (i.e., exclusions to commitments or obligations), where feasible; 5. Using defensive design approaches; 6. Employing system OPSEC principles; 7. Employing a diverse set of suppliers; 8. Employing approved vendor lists with standing reputations in industry; 9. Using a centralized intermediary and “Blind Buy” approaches to acquire element(s) to hide actual usage locations from an untrustworthy supplier or adversary Employing inventory management policies and processes; 10. Using flexible agreements during each acquisition and procurement phase so that it is possible to meet emerging needs or requirements to address supply chain risk without requiring complete revision or re-competition of an acquisition or procurement; 11. Using international, national, commercial or government standards to increase potential supply base; 12. Limiting the disclosure of information that can become publicly available; and 13. Minimizing the time between purchase decisions and required delivery. Organizations should reference the SCRM Key Practices and Implementation Guide for DoD for additional guidance. DoD has determined the security safeguards are not appropriate to define at the Enterprise level.

Validation Procedures

The conducting the inspection/assessment obtains and examines the documented security safeguards to ensure they have been defined IAW DoDI 5200.44. DoD has determined the security safeguards are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan showing security safeguards limiting harm from potential adversaries identifying and targeting the supply chain.

The controls below (if any) were marked by NIST as being related to CCI-003202.