RMF Supply Chain Risk Management

Course Duration

1 Day

Audience

Employees of federal, state and local governments; and businesses working with the government.

Prerequisites

A working understanding of the Risk Management Framework (RMF) is required. Familiarity with NIST SP 800-53 controls is highly recommended.

Course Description

In the modern threat landscape, your security is only as strong as your weakest vendor. This course covers the principles and practices of Cyber Supply Chain Risk Management (C-SCRM) within the RMF context. Students learn to establish a C-SCRM program, assess and manage supply chain risks, apply appropriate controls, and maintain ongoing monitoring. Topics include determining technology fitness for purpose, developing risk tolerance thresholds, implementing C-SCRM controls, and training personnel to detect counterfeit or tampered components.

Course Outline

Course Topics

• Establish C-SCRM team, determine roles and responsibilities.
• Basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly.
• Address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems.
• Addresses managing, implementation, and monitoring of C-SCRM controls
• Determine C-SCRM risk tolerance
• Identifying and assessing C-SCRM risks
• Determining appropriate risk response actions and acceptable C-SCRM risk mitigation strategies or controls.
• Description of and justification for C-SCRM mitigation measures taken
• Monitoring performance against plans
• Specify documentation protection requirements.
• Providing training, education, and awareness programs for personnel regarding C-SCRM, available mitigation strategies
• Train personnel to detect counterfeit system components