SR-3(3)

Requirement

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

Discussion

To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the flow down of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in SR-3b.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; inter-organizational agreements and procedures; system security plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities].

Test

[SELECT FROM: Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities].

ID	Assessment Objectives
SR-03(03)	the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!