- Based on NIST 800-161 Rev 1 - the "gold standard " for C-SCRM practices.
- Designed to operationalize a C-SCRM Plan that can enforce security across your supply chain.
- Efficient and professionally-written format that enables you to hit the ground running with C-SCRM.
- Immense time & cost savings - enables subject matter experts to fill in the details that only they know.
Don't Write It From Scratch.
Prime contractors and federal customers increasingly require a written supply chain risk management plan before they will do business with you. Could you hand over a SCRM Plan aligned to NIST 800-161 today, or would you be starting from a blank page? Producing one that holds up takes time and specialized knowledge. The Supply Chain Risk Management (SCRM) Plan Template gives you a running start: editable SCRM Plan templates, including both a NIST SP 800-161 Rev 1 version and a DoD version, plus the supporting templates you need to complete it. It gets you roughly 80 to 90 percent of the way there, then you tailor the plan to your suppliers and contractual obligations.
ComplianceForge provides more than a basic Supply Chain Risk Management Plan (SCRM Plan) template, since we include two (2) different versions of a SCRM Plan, as well as other very useful templates you will need to fill out a SCRM Plan for your organization:
Supply chain risk has become a board-level concern. Regulators, customers, and insurers now expect formal C-SCRM documentation as evidence of due diligence. This product provides that documentation in editable form.
What Is The SCRM Plan?
The SCRM Plan template is an editable Microsoft Word document that is intended to operationalize a C-SCRM Plan that can enforce security across your supply chain (e.g., service providers, vendors, contractors, etc.). This product includes a wealth of information to customize a SCRM/C-SCRM Plan that is specific to your organization. This helps address common compliance requirements from the General Services Administration (GSA) or to comply with NIST SP 800-171 Rev 3 (requirement #03.17.01 - Supply Chain Risk Management Plan). Having two (2) different formats of SCRM Plan to choose from provides you flexibility, since it is unclear which form of SCRM Plan the Department of Defense (DoD) will require for Cybersecurity Maturity Model Certification (CMMC), once it adopts NIST SP 800-171 Rev 3.
Supply chain risk management is no longer a back-office concern. With third-party breaches accounting for an increasing share of overall security incidents, formal C-SCRM documentation has become a baseline expectation for cyber insurance, customer due diligence, and regulatory compliance. NIST SP 800-161 Rev 1 C-SCRM Plans are already required as part of GSA contracts including OASIS+ J-3 Deliverables and NIST SP 800-171 Rev 3 requirement 03.17.01.
The SCRM Plan provides the documentation structure to demonstrate that C-SCRM is a defined, repeatable, and managed program rather than an ad-hoc collection of vendor reviews. Having two SCRM Plan formats provides flexibility, since it is unclear which form of SCRM Plan the Department of Defense will require for CMMC once it adopts NIST SP 800-171 Rev 3.
No Software To Install
This product is a one-time purchase of editable Microsoft Office-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word and Excel files, the SCRM Plan template is ready to use.
Microsoft Word & Excel
Delivered as fully editable .docx and .xlsx files. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs.
Email Delivery
Documentation is delivered via email download link within 1-2 business days of purchase. There is no installer, no license server, and no activation step.
One-Time Purchase
A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as C-SCRM frameworks evolve.
This deployment model is intentional. C-SCRM documentation benefits from being in the organization's own hands, inside its own document management systems, rather than locked inside a vendor's SaaS tool. Once delivered, this product belongs to the buyer.
What Problems Does The SCRM Plan Template Solve?
While Cybersecurity Supply Chain Risk Management (C-SCRM) is not new, there is a lack of good references on how to actually build a SCRM/C-SCRM Plan. ComplianceForge's SCRM Plan template helps solve the following problems:
Lack of In House Security Experience
Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The SCRM Plan template is an efficient method to obtain documentation to build a SCRM Plan based on NIST SP 800-161 Rev 1!
Compliance Requirements
It is becoming increasingly common for organizations, regardless of industry, to be required to govern its supply chain for cybersecurity and privacy threats and risks.
Audit Failures
Many organizations run into trouble in audits when asked HOW third-party or supply chain risk is managed, since they cannot provide documentation beyond policies and standards. The C-SCRM SIP addresses the HOW for you!
Vendor Requirements
It is very common for clients and partners to request evidence of third-party cybersecurity governance. The C-SCRM SIP provides this evidence!
How Does the SCRM Plan Solve These Problems?
The SCRM Plan addresses supply chain documentation gaps with specific, measurable outcomes scoped for organizations needing audit-ready C-SCRM coverage.
Clear Documentation
The SCRM Plan template provides the documentation to prove that your vendor compliance program exists.
Time Savings
The SCRM Plan can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
Alignment With Leading Practices
The SCRM Plan is aligned with NIST SP 800-161 Rev 1, which is the "gold standard" for supply chain risk management practices.
Time Savings
The SCRM Plan compresses what would otherwise be months of internal effort into weeks of customization work. ComplianceForge processes most orders the same business day so organizations can start customizing immediately.
What Is Included?
The SCRM Plan is delivered as editable Microsoft Word documents with Excel-based assessment templates. Purchase includes a single-entity license and the first year of product updates.
NIST SP 800-161 Rev 1 C-SCRM Plan Template
Editable C-SCRM Plan template aligned with NIST SP 800-161 Rev 1, the gold standard for authoritative C-SCRM guidance. Suitable for GSA contracts including OASIS+ J-3 Deliverables and NIST SP 800-171 Rev 3 requirement 03.17.01.
DoD DI-MGMT-82256A SCRM Plan Template
Editable DoD-aligned SCRM Plan template based on DI-MGMT-82256A. Provides the criteria DoD contractors need for SCRM Plan deliverables and is positioned for likely CMMC adoption.
Cybersecurity Supply Chain Risk Assessment (C-SCRA) Template
Cybersecurity Supply Chain Risk Assessment template in Word and Excel formats based on NIST SP 800-161 Rev 1. Includes a toolbox of questions and report format to identify and assess supply chain risks for third-party products, services, and suppliers.
SCRM Risk Register
Editable Excel-based risk register for tracking supplier and supply chain risks over time. Supports the risk treatment workflow defined in both SCRM Plan variants and integrates with the C-SCRA assessment results.
Pairs With The TPRM Program
The SCRM Plan is the strategic and planning layer for supply chain risk. The companion Third-Party Risk Management (TPRM) Program provides the operational documentation: the policies, procedures, and assessment templates that operationalize the strategy. Most organizations purchase both for complete coverage of supply chain and third-party risk.
Cost Savings Estimate
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SCRM Plan from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
Internal Staff Cost
For your internal staff to generate comparable documentation, it would take them an estimated 70 internal staff work hours, which equates to a cost of approximately $3,500 in staff-related expenses. This is about 1 to 2 months of development time where your staff would be diverted from other work.
The SCRM Plan template is approximately 21% of the cost for your internal staff to generate equivalent documentation.
External Consultant Cost
If you hire a consultant to generate this documentation, it would take them an estimated 40 consultant work hours, which equates to a cost of approximately $11,500. This is about 3 to 6 weeks of development time for a contractor to provide you with the deliverable.
The SCRM Plan template is approximately 8% of the cost for an external consultant to generate equivalent documentation.
Product Examples
When you buy this product, you get two (2) different versions of SCRM Plan: (1) NIST SP 800-161 Rev 1 C-SCRM Plan template and (2) DI-MGMT-82256A SCRM Plan template. These templates allow you to create a SCRM Plan to address your compliance needs, as well as including a Cybersecurity Supply Chain Risk Assessment (C-SCRA) template at no additional cost. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Below are PDF examples of what you would expect from our Microsoft Word documentation, so you can see the quality and structure of both SCRM Plan variants before purchase.
Below is a PDF example containing a sample of the C-SCRM Plan Template you would receive upon purchasing the SCRM.
Below is a PDF example containing a sample of the SCRM Plan Template you would receive upon purchasing the SCRM.
How Much Customization Remains?
Only you know the supply chain specifics for your organization, so customization of these templates is required to fill in the details that only your team knows. ComplianceForge aims for approximately an 80% solution for the SCRM Plan template. This means ComplianceForge did the heavy lifting, and the remaining work is fine-tuning the SCRM Plan with the specific information that only your organization knows to make it applicable.
In practice, customization is filling in the blanks and following the guidance provided to identify the who, what, when, where, why, and how for your specific environment. Typical customization tasks include adding your company name and logo, tailoring parameters such as supplier tiering thresholds and assessment cadences, naming specific owner roles, populating the risk register with your active supplier inventory, and removing sections that do not apply to your organization.
Professional Services
ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:
We offer the following professional service bundles:
5-Hour Bundle
This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.
10-Hour Bundle
This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.
20-Hour Bundle
This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.
Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.
Why C-SCRM Documentation Is Now Mandatory
Cyber insurers, enterprise customers, and federal regulators have converged on a baseline expectation: organizations must have documented Cybersecurity Supply Chain Risk Management programs. This is no longer a nice to have. Customer questionnaires routinely include C-SCRM questions, and cyber insurance underwriting now factors C-SCRM maturity into pricing.
For federal contractors, FAR, DFARS, FedRAMP, and CMMC all reference supply chain risk management. NIST SP 800-171 Rev 3 explicitly calls for a Supply Chain Risk Management Plan as requirement 03.17.01. GSA's OASIS+ contract vehicle already requires C-SCRM Plan deliverables under the J-3 Deliverables clause. Organizations without documented C-SCRM are now at material risk of failing audits, losing contracts, and being declined coverage.
Federal Compliance Alignment
The SCRM Plan is structured to satisfy multiple federal C-SCRM requirements simultaneously. The NIST SP 800-161 Rev 1 variant aligns with the C-SCRM Baseline controls and supports GSA OASIS+ J-3 Deliverables, NIST SP 800-171 Rev 3 requirement 03.17.01, FedRAMP supply chain expectations, and the supply chain risk management practices expected for CMMC.
The DI-MGMT-82256A variant provides the format DoD contractors need for SCRM Plan deliverables under DoD contracts. Having both formats available means an organization can pivot between them as contract requirements evolve, without needing to start over from scratch. The included C-SCRA template supplies the cybersecurity supply chain risk assessment required by NIST 800-161 Rev 1.
What Is The Difference Between A SCRM Plan And A C-SCRM Plan?
- NIST calls it a "SCRM" in NIST SP 800-171 Rev 3;
- NIST calls it a "C-SCRM" in NIST SP 800-161 Rev 1;
- GSA calls it a "SCRM" in OASIS+ requirements, even when focused on cybersecurity-related matters; and
- DoD calls it a "SCRM" in DI-MGMT-82256A.