Editable Supply Chain Risk Management Plan (SCRM Plan) Template

ComplianceForge provides more than a basic Supply Chain Risk Management Plan (SCRM Plan) template, since we include two (2) different versions of a SCRM Plan, as well as other very useful templates you will need to fill out a SCRM Plan for your organization:

• NIST version - NIST SP 800-161 Rev 1 Cybersecurity Supply Chain Risk Management Plan (C-SCRM Plan) template (for those who want to align with NIST SP 800-161 practices for what a C-SCRM plan should contain);
• DoD version - DI-MGMT-82256A Supply Chain Risk Management Plan (SCRM Plan) template (for those who want to align with DoD practices for what a SCRM Plan should contain);
• Cybersecurity Supply Chain Risk Assessment (C-SCRA) template based on NIST SP 800-161 Rev 1; and
• SCRM Risk Register.

What Is The Difference Between A SCRM Plan And A C-SCRM Plan?

For the purposes of common compliance requirements for a SCRM Plan (e.g., GSA, NIST SP 800-171 Rev 3, etc.), the terms "Supply Chain Risk Management (SCRM)" and "Cybersecurity Supply Chain Risk Management (C-SCRM)" should be considered equivalent. However, if you really wanted to get into the weeds on terminology from a technicality perspective, C-SCRM is a subset of SCRM since SCRM has a broader view of supply chain risks than just cybersecurity.

When you look at current usage of the terminology, the DoD, GSA, NIST and other bodies use the terminology interchangeably:

• NIST calls it a "SCRM" in NIST SP 800-171 Rev 3;
• NIST calls it a "C-SCRM" in NIST SP 800-161 Rev 1;
• GSA calls it a "SCRM" in OASIS+ requirements, even when focused on cybersecurity-related matters; and
• DoD calls it a "SCRM" in DI-MGMT-82256A.

In NIST's Glossary, it does not provide a definition for C-SCRM, but does provide a definition for SCRM as, "the implementation of processes, tools or techniques to minimize the adverse impact of attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle."

What Is A Supply Chain Risk Management Plan (SCRM Plan) Template?

The SCRM Plan template is an editable Microsoft Word document that is intended to operationalize a C-SCRM Plan that can enforce security across your supply chain (e.g., service providers, vendors, contractors, etc.). This product includes a wealth of information to customize a SCRM/C-SCRM Plan that is specific to your organization. This helps address common compliance requirements from the General Services Administration (GSA) or to comply with NIST SP 800-171 Rev 3 (requirement #03.17.01 - Supply Chain Risk Management Plan). Having two (2) different formats of SCRM Plan to choose from provides you flexibility, since it is unclear which form of SCRM Plan the Department of Defense (DoD) will require for Cybersecurity Maturity Model Certification (CMMC), once it adopts NIST SP 800-171 Rev 3. 

Editable NIST SP 800-161 Rev 1 C-SCRM Plan Template

NIST SP 800-161 Rev 1's C-SCRM Plan is already being required as part of GSA contracts (e.g., OASIS+ J-3 Deliverables). Within the C-SCRM Plan is a requirement for a Cybersecurity Supply Chain Risk Assessment (C-SCRA) and ComplianceForge includes both Microsoft Word and Excel templates to conduct a C-SCRA, based on NIST SP 800-161 Rev 1 criteria. If you need to create a C-SCRM Plan based on NIST SP 800-161 Rev 1, these templates will set you up for success. Included in the template is alignment with the C-SCRM Baseline controls from NIST SP 800-161 Rev 1, but that can be edited if you want to add additional C-SCRM controls for your specific needs.

Editable DoD DI-MGMT-82256A SCRM Plan Template

The DoD's DI-MGMT-82256A format contains more content requirements than NIST SP 800-161 Rev 1's C-SCRM Plan template. This version of the SCRM Plan template provides the criteria established in DI-MGMT-82256A, so if you need to build a SCRM Plan based on that requirement, this template sets you up for success.

Editable Cybersecurity Supply Chain Risk Assessment (C-SCRA) Template

This purchase includes a Cybersecurity Supply Chain Risk Assessment (C-SCRA) template to guide the review of any third-party product, service, or supplier that could present a cybersecurity risk to your organization. The objective of the C-SCRA template is to provide a toolbox of questions and report format that you can use to identify and assess supply chain risks. The C-SCRA is meant to consider available public and private information to perform a holistic assessment, including known cybersecurity risks throughout the supply chain, the likelihoods of their occurrence, and their potential impacts on an organization and its information and systems.

The C-SCRA is based on NIST SP 800-161 Rev 1 guidance for what risk assessment for SCRM should contain.

Optional C-SCRM Strategy & Implementation Plan (C-SCRM SIP)

If you want more than just a SCRM Plan template, ComplianceForge developed an editable C-SCRM strategy and implementation plan. This not only includes the SCRM Plan templates, but this fully-editable documentation (e.g., Word, Excel, PowerPoint, etc.) enables your organization to "hit the ground running" with C-SCRM operations that are aligned with NIST SP 800-161 Rev 1, which is the current "gold standard" for authoritative C-SCRM guidance.

The reality is organizations depend on a global supply chain to provide a variety of products and services that enable the achievement of its strategic and operational objectives. Given the global scope of identifying cybersecurity and data protection risks, threats and vulnerabilities throughout the supply chain are complicated due to the information asymmetry that exists between acquiring enterprises and their suppliers and service providers:

• Acquirers often lack visibility and understanding of how acquired technology is developed, integrated and deployed and how the services that they acquire are delivered.
• Acquirers with inadequate or absent C-SCRM processes, procedures and practices may experience increased exposure cybersecurity risks throughout the supply chain.

How Much Customization Is Remaining?

Only you know the supply chain specifics to your organization, so you will have to do customization of these templates to fill in the details that only your team knows. However, we aimed at approximately a "80% solution" for the SCRM Plan template. This means ComplianceForge did the heavy lifting for you, and all you have to do is fine-tune the SCRM Plan with the specific information that only you know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete.

What Problems Does The SCRM Plan Template Solve?

While Cybersecurity Supply Chain Risk Management (C-SCRM) is not new, there is a lack of good references on how to actually build a SCRM/C-SCRM Plan. ComplianceForge's SCRM Plan template helps solve the following problems:

• Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The SCRM Plan template is an efficient method to obtain documentation to build a SCRM Plan based on NIST SP 800-161 Rev 1!
• Compliance Requirements - It is becoming increasingly common for organizations, regardless of industry, to be required to govern its supply chain for cybersecurity and privacy threats and risks.  
• Audit Failures - Many organizations run into trouble in audits when asked HOW third-party or supply chain risk is managed, since they cannot provide documentation beyond policies and standards. The C-SCRM SIP addresses the HOW for you! 
• Vendor Requirements - It is very common for clients and partners to request evidence of third-party cybersecurity governance. The C-SCRM SIP provides this evidence!

How Does The SCRM Plan Template Solve These Problems?

• Clear Documentation - The SCRM Plan template provides the documentation to prove that your vendor compliance program exists.  
• Time Savings - The SCRM Plan can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
• Alignment With Leading Practices - The SCRM Plan is aligned with NIST SP 800-161 Rev 1, which is the "gold standard" for supply chain risk management practices.

Product Example - Supply Chain Risk Management (SCRM) Plan

When you buy this product, you get two (2) different versions of SCRM Plan: (1) NIST SP 800-161 Rev 1 C-SCRM Plan template and (2) DI-MGMT-82256A SCRM Plan template. These templates allow you to create a SCRM Plan to address your compliance needs, as well as including a Cybersecurity Supply Chain Risk Assessment (C-SCRA) template at no additional cost. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.

View C-SCRM / SCRM Plan Product Examples

If you would like to view examples of ComplianceForge's Cybersecurity Supply Chain Risk Management (C-SCRM) Plan documentation, please click any of the images below:

Cost Savings Estimate - SCRM Plan Template

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the C-SCRM SIP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

• For your internal staff to generate comparable documentation, it would take them an estimated 70 internal staff work hours, which equates to a cost of approximately $7,000 in staff-related expenses. This is about 1-2 months of development time where your staff would be diverted from other work.
• If you hire a consultant to generate this documentation, it would take them an estimated 40 consultant work hours, which equates to a cost of approximately $13,000. This is about 3-6 weeks of development time for a contractor to provide you with the deliverable.
• The SCRM Plan template is approximately 8% of the cost for a consultant or 15% of the cost of your internal staff to generate equivalent documentation.
• We process most orders the same business day so you can potentially start working with the SCRM Plan template the same day you place your order.

No Software To Install