SR-3: Supply Chain Controls and Processes

NIST Baseline: Low 

DIR Required By:  07/20/2023 

Review Date:  08/27/2024 

• It is the responsibility of the Tarleton State University (Tarleton) Chief Information Security Officer (CISO), or their designee, to: 
  • Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of the High Impact information resources in coordination with the applicable information resource owners and/or custodians.  
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm and consequences from supply chain-related events: 
    • Control CA-2, Control Assessments 
    • Control MA-2, Controlled Maintenance 
    • Control SA-4, Acquisition Process 
    • Control SA-9, External System Services 
    • Control SR-12, Component Disposal 
  • Document the selected and implemented supply chain processes and controls in the supply chain risk management plan. 

---

References/Additional Resources

FASC18 

41 CFR 201 

EO 13873 

SP 800-30 

SP 800-161 

IR 7622