SR-1

Supply Chain Risk Management Policy and Procedures

Supply Chain Risk Management

The organization develops, documents, and disseminates to personnel a supply chain risk management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

High PriorityAI-Relevant Control

Purpose

Establish policies and procedures for managing supply chain risks.

AI Relevance

Critical for managing risks associated with AI model supply chains, third-party AI services, and AI component vendors.

Implementation Guidance

Develop comprehensive supply chain risk management policies, establish vendor assessment procedures, and implement supply chain monitoring.

Assessment

Review supply chain policies, verify vendor assessments, test supply chain controls, and validate supply chain risk management.

Requirements

1Develop a supply chain risk management policy
2Document a supply chain risk management policy
3Disseminate a supply chain risk management policy to personnel
4Address purpose in the supply chain risk management policy
5Address scope in the supply chain risk management policy
6Address roles in the supply chain risk management policy
7Address responsibilities in the supply chain risk management policy
8Address management commitment in the supply chain risk management policy
9Address coordination among organizational entities in the supply chain risk management policy
10Address compliance in the supply chain risk management policy

Related Controls

SR-2: Supply Chain Risk Management Plan SR-3: Supply Chain Controls and Processes SR-4: Provenance SR-5: Acquisition Strategies, Tools, and Methods

References

NIST SP 800-53 Rev 5 NIST Cybersecurity Supply Chain Risk Management

Framework Context

NIST 800-53 Rev 5

Security and Privacy Controls for Federal Information Systems

Official Documentation →

NIST AI RMF

AI Risk Management Framework

AI RMF Documentation →

OWASP AISVS

AI Security Verification Standard

AISVS Documentation →