CCI-005092

Implementation Guidance

Determine if: - a diverse set of sources is employed for [SR-03(01)_ODP[01]; system components with a diverse set of sources are defined]. - a diverse set of sources is employed for [SR-03(01)_ODP[02]; services with a diverse set of sources are defined].

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy and procedures; system and services acquisition policy; planning policy; procedures addressing supply chain protection; physical inventory of critical systems and system components; inventory of critical suppliers, service providers, developers, and contracts; inventory records of critical system components; list of security safeguards ensuring an adequate supply of critical system components; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities]. Test: [SELECT FROM: Organizational processes for defining and employing security safeguards to ensure an adequate supply of critical system components; processes to identify critical suppliers; mechanisms supporting and/or implementing the security safeguards that ensure an adequate supply of critical system components].