C-SCRM Strategy & Implementation Plan

C-SCRM Strategy & Implementation Plan

ComplianceForge Support ComplianceForge Support
August 8th, 2022 2 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more

ComplianceForge is pleased to announce the release of a new product: Cybersecurity Supply Chain Risk Management (C-SCRM) Strategy & Implementation Plan. This is based on the recently-released NIST SP 800-161 Rev 1 and is focused on operationalizing an organization's C-SCRM plan. This editable documentation can save hundreds of hours of research and writing time that allows an organization to hit the ground running on C-SCRM.

Product Page: https://complianceforge.com/product/nist-800-161-cscrm-strategy-implementation-plan 

NIST 800-161 R1 C-SCRM strategy and implementation plan

Product highlights of the C-SCRM SIP include:

  • Country-based risk guidance to determine minimum management decision levels for conducting operations in or contracting with suppliers from countries that pose a legitimate C-SCRM threat.
  • The prioritized implementation plan contains mappings for NIST SP 800-161 R1 controls to each C-SCRM implementation phase.
  • Professionally-written, editable documentation template that leverages industry-recognized "best practices" for C-SCRM.
  • Cost-effective solution to quickly generate documentation for a C-SCRM strategy and implementation plan.
  • Example flow-down contract requirements for suppliers, vendors, subcontractors, etc. (DFARS/CMMC, ISO 27001, NIST CSF, NIST 800-53, FAR, PCI DSS, and EU GDPR/CCPA).

To properly manage supply chain-related threats, an organization must evaluate country-based threats posed by its supply chain. This review must cover the geographic concerns where your products, services and support originate from or transit through:

  • Transmit, process and/or store your company's or its clients’, data across the SISP's systems, applications and/or services;
  • Manufacture products or product components used in your company's operations and/or products; and/or
  • Provide services for your company's operations and/or products.

Within the C-SCRM SIP, that criteria for geographic-specific threat management is refined by guidance from:

  • Priority Watch List & Watch List
  • Corruption Perceptions Index
  • Notorious Markets List
  • Designated State Sponsors of Terrorism
  • EAR / ITAR restrictions
  • Potentially hostile data localization laws

« Back to Blog

Related Articles

DIBCAC Battled Tested CMMC Policies

1 minute read

August 8th, 2022

PCI DSS v4.0 Cybersecurity Policies & Standards

1 minute read

June 1st, 2022

DSP version 2022.3 release

DSP version 2022.3 release

1 minute read

December 14th, 2022

NIST SP 800‑53 R5 Control Families

This release includes a total of 1,189 controls, organized into 20 families:

  1. Access Control
  2. Awareness & Training
  3. Audit & Accountability
  4. Assessment, Authorization & Monitoring
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical & Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Personally Identifiable Information (PII) Processing & Transparency
  16. Risk Assessment
  17. System & Services Acquisition
  18. System & Communications Protection
  19. System & Information Integrity
  20. Supply Chain Risk Management

This count includes deprecated controls that have been removed or folded into others. Some controls are not categorized under baselines—low, moderate, high, or privacy—per NIST SP 800‑53B.

ComplianceForge provides full 1:1 mapping of all 20 families and their controls in its CDPP documentation.

!