Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Supply Chain Risk Management (SCRM)

Mitigating risks to CMS data and systems by developing strategies to address vulnerabilities and threats to the software supply chain

slack logoCMS Slack Channel
  • #cms-scrm

What is Supply Chain Risk Management (SCRM)? 

Most products or services are made of multiple parts or components -- and most companies do not "own" that process from beginning to end. Taken together, those parts are referred to as a supply chain. Each part is a link in that supply chain.  

Supply Chain Risk Management, often referred to as SCRM, is the practice of identifying, assessing, and mitigating risks associated with the distributed and interconnected nature of today’s supply chains. 

SCRM covers the lifecycle of the entire system: design, development, distribution, deployment, acquisition, maintenance, and destruction. Supply chain threats and vulnerabilities may compromise a product or service at any stage of the life cycle.

Most supply chains include points for the transfer of electronic information or data. When it’s transferred between networks, that data can be vulnerable to attacks from bad actors motivated by profit or political reasons. Focusing on the information systems within the supply chain is Cyber Supply Chain Risk Management (C-SCRM).

NIST officially defines C-SCRM as a “a systematic process for managing exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures.”

When a supply chain is secure and working as intended, you have supply chain integrity. SCRM principles are essential in the acquisition lifecycle to ensure the security, resilience, and reliability of the supply chain.

SCRM at CMS

The SCRM Team at CMS is dedicated to maintaining supply chain integrity. They address both cyber- and non-cyber risks to CMS information and information systems that come from external suppliers, products, and services. 

SCRM efforts are coordinated by the Division of Strategic Information (DSI) under the authority of the Chief Information Security Officer (CISO). 

DSI’s SCRM policies and procedures facilitate continuous identification, assessment, and mitigation of supply chain risks across the enterprise.

Your responsibilities for SCRM at CMS

Everyone at CMS has a responsibility to promote and preserve supply chain integrity. You can find specific duties for particular roles outlined in the CMS SCRM Program Manual (PDF document, login required).  

Everyone at CMS is expected to:

  • Follow policies that govern the acceptable use of CMS systems
  • Use CMS information technology resources for defined purposes only
  • Report any business concerns or suspicious behavior to the SCRM Team, particularly concerns about personnel or supply chains within the organization

ISSOs and SCRM

CMS ISSOs have three major responsibilities when it comes to SCRM: 

  • Develop procedures for performing, analyzing, and utilizing integrator or supplier assessments
  • Analyze and develop technical mitigation strategies derived from the integrator or supplier assessments, ensuring that assessments are performed by a third party (not necessarily an external party)
  • Coordinate with the Information System Officer (ISO / SO) to ensure compliance with applicable requirements

When to contact the SCRM Team

To protect supply chain integrity at CMS, we can assist you at any point during the acquisition lifecycle, from pre-acquisition planning to delivery and acceptance all the way to regulatory compliance. 

The SCRM Team can help you perform a supply chain risk assessment (SCRA) or a vendor risk assessment. Both of these activities can reveal potential issues during the acquisition process and should be done proactively to mitigate risks — not simply to comply with regulatory requirements. 

Email the team at SupplyChainRiskManagement@CMS.HHS.gov