C-SCRM Strategy & Implementation Plan

ComplianceForge developed an editable template for a C-SCRM strategy and implementation plan that is based on NIST SP 800-161 Rev 1, which is the current "gold standard" for authoritative C-SCRM guidance. This is fully-editable documentation (e.g., Word, Excel, PowerPoint, etc.) that can enable your organization to "hit the ground running" with C-SCRM operations.

2022.1 - Cybersecurity Supply Chain Risk Management (C-SCRM).jpg

NIST SP 800-161 Rev 1 - Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP)

Product highlights of the C-SCRM SIP include:

  • Country-based risk guidance to determine minimum management decision levels for conducting operations in or contracting with suppliers from countries that pose a legitimate C-SCRM threat.

  • The prioritized implementation plan contains mappings for NIST SP 800-161 R1 controls to each C-SCRM implementation phase. 

  • Professionally-written, editable documentation template that leverages industry-recognized "best practices" for C-SCRM.

  • Cost-effective solution to quickly generate documentation for a C-SCRM strategy and implementation plan.

  • Example flow-down contract requirements for suppliers, vendors, subcontractors, etc. (DFARS/CMMC, ISO 27001, NIST CSF, NIST 800-53, FAR, PCI DSS, and EU GDPR/CCPA).


Country-Based Risk Management

To properly manage supply chain-related threats, organizations must evaluate country-based threats posed by its supply chain. This review must cover the geographic concerns where your products, services and support originate from or transit through:

  • Transmit, process and/or store your company's or its clients’, data across the SISP's systems, applications and/or services;

  • Manufacture products or product components used in your company's operations and/or products; and/or

  • Provide services for your company's operations and/or products.


Within the C-SCRM SIP from ComplianceForge, geographic-specific threat management criteria is refined by guidance from:

  • Priority Watch List & Watch List

  • Corruption Perceptions Index

  • Notorious Markets List

  • Designated State Sponsors of Terrorism

  • EAR / ITAR restrictions

  • Potentially hostile data localization laws

C-SCRM Product Example.JPG