SR-2

Supply Chain Risk Management Plan

Supply Chain Risk Management

The organization develops a plan to manage supply chain risks associated with the information system, system component, or information system service.

High PriorityAI-Relevant Control

Purpose

Develop a comprehensive plan for identifying, assessing, and mitigating supply chain risks.

AI Relevance

Essential for planning and managing risks in AI supply chains, including model providers, data sources, and AI infrastructure vendors.

Implementation Guidance

Create detailed supply chain risk management plans, establish risk assessment procedures, and implement risk mitigation strategies.

Assessment

Review supply chain risk management plans, verify risk assessments, test risk mitigation controls, and validate risk management processes.

Requirements

  • 1Develop a supply chain risk management plan
  • 2Document supply chain risk management strategies
  • 3Identify supply chain risk management objectives
  • 4Define supply chain risk management scope
  • 5Establish supply chain risk management roles and responsibilities
  • 6Define supply chain risk management processes
  • 7Establish supply chain risk management procedures
  • 8Define supply chain risk management tools and techniques
  • 9Establish supply chain risk management metrics and measures
  • 10Define supply chain risk management reporting requirements

Related Controls

SR-1: Supply Chain Risk Management Policy and ProceduresSR-3: Supply Chain Controls and ProcessesSR-4: ProvenanceSR-5: Acquisition Strategies, Tools, and Methods

References

NIST SP 800-53 Rev 5NIST Cybersecurity Supply Chain Risk Management

Framework Context

NIST 800-53 Rev 5

Security and Privacy Controls for Federal Information Systems

Official Documentation →

NIST AI RMF

AI Risk Management Framework

AI RMF Documentation →

OWASP AISVS

AI Security Verification Standard

AISVS Documentation →