Deep Dive into the new Supply Chain Risk Management Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the new Supply Chain Risk Management family that the new baselines bring.

The Low, Moderate, and High baselines include:

• A requirement to develop, document, and disseminate policies and procedures to facilitate the implementation of supply chain risk management
• A requirement to develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the systems, system components or system services
• A requirement to review and update the supply chain risk management plan as required, to address threat, organizational, or environmental changes
• A requirement to protect the supply chain risk management plan from unauthorized disclosure and modification
• A requirement to establish a supply chain risk management team to lead and support SCRM activities
• A requirement to establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of systems or system components
• A requirement to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events
• A requirement to document the selected and implemented supply chain processes and controls in security and privacy plans and the supply chain risk management plan
• A requirement to employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks
• A requirement to establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises, results of assessments, or audits
• A requirement to inspect systems or system components to detect tampering
• A requirement to develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system
• A requirement to report counterfeit system components to the source of the counterfeit component and external reporting organizations
• A requirement to train personnel to detect counterfeit system components
• A requirement to maintain configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service
• A requirement to dispose of data, documentation, tools, or system components using specified methods

The Moderate and High baselines include:

• A requirement to assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide

The High baseline includes:

• A requirement to implement a tamper protection program for the system, system component, or system service
• A requirement to employ anti-tamper technologies, tools, and techniques throughout the system development life cycle

This concludes our deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp