Supply Chain Risk Management (SCRM) Frameworks
The multi-framework discipline for identifying, assessing, and mitigating cybersecurity risks introduced by hardware, software, and service providers across the technology supply chain.
Supply Chain Risk Management (SCRM) for information and communications technology (ICT) is governed by NIST SP 800-161 revision 1 ("Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations," May 2022), which provides a comprehensive framework integrating C-SCRM into existing risk management and acquisition processes. The document defines C-SCRM at three organizational tiers: Tier 1 (organizational/governance level), Tier 2 (mission/business process level), and Tier 3 (system/operational level). Key practices include establishing a C-SCRM policy and strategy, identifying critical components and suppliers, conducting supplier risk assessments using standardized questionnaires (NIST SP 800-161 Appendix C), including SCRM requirements in acquisition contracts, and monitoring supplier security posture on an ongoing basis. EO 14028 Section 4(e) specifically directed NIST to update SP 800-161, resulting in the current revision.
The engineering dimension of SCRM is hardware and software provenance assurance. For hardware, this means: maintaining a hardware bill of materials (HBOM) for critical systems, using trusted suppliers with validated anti-counterfeiting programs, implementing hardware root of trust (using TPM 2.0, secure boot, or device attestation) for all servers and network equipment, and validating firmware integrity using cryptographic signing verification at provisioning time. For software, SBOMs (SPDX/CycloneDX) provide component provenance, while artifact signing (Sigstore, GPG) and build provenance attestations (SLSA provenance) provide supply chain integrity guarantees. SLSA (Supply chain Levels for Software Artifacts, now SLSA v1.0) defines four build integrity levels, with SLSA Level 3 requiring a hosted build platform with hardened build environment and isolation between build jobs.
Specific regulatory SCRM requirements include: DFARS 252.204-7012 requires contractors to "rapidly report" supply chain attacks to DoD; DFARS 252.239-7017/7018 restrict the use of covered telecommunications equipment (Section 889 NDAA); NIST SP 800-171 control SA.3.169 requires an explicit SCRM plan for systems processing CUI; and FAR clause 52.204-23 requires contractors to report incidents involving counterfeit electronic parts. The CISA ICT Supply Chain Risk Management Task Force (ICT SCRM TF) publishes threat scenarios and recommended mitigations for specific ICT supply chain attack vectors. For software supply chain specifically, the 2020 SolarWinds attack demonstrated that compromised build systems can inject malicious code into signed software updates, making SLSA build provenance and build system isolation foundational SCRM controls.
We build C-SCRM programs grounded in NIST SP 800-161r1 that span all three organizational tiers: governance policies and supplier risk frameworks at Tier 1, component criticality assessment and SBOM/HBOM inventory at Tier 2, and technical controls including hardware root of trust, build provenance (SLSA), and artifact signing at Tier 3. We integrate supplier risk scoring into procurement workflows and implement automated supply chain monitoring that alerts on new CVEs in inventoried components.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.