Supply Chain Risk Management (SR)

Introduction

Supply Chain Risk Management (SR) focuses on identifying, assessing, and mitigating risks associated with third-party products, services, and vendors that support any enterprise—in other words, the supply chain.

Supply Chain Risk Management (SR), often referred to as SCRM, covers the lifecycle of the entire system: design, development, distribution, deployment, acquisition, maintenance, and destruction. Threats and vulnerabilities may compromise a product or service at any stage of the lifecycle.

When SCRM focuses on information systems within the supply chain, it is referred to as Cyber Supply Chain Risk Management (C-SCRM).

Supply chain integrity is achieved when all is secure and working as intended. SCRM principles are essential during acquisition to ensure the security, resilience, and reliability of the supply chain.

Key Security and Privacy Measures

Supply Chain Risk Management (SCRM) Plan

CMS requires programs and system owners to develop system-specific SCRM plans aligned with the CMS Enterprise SCRM strategy. These plans define roles, responsibilities, risk tolerance, supplier evaluation criteria, and mitigation procedures.

These SCRM plans are reviewed and updated annually (every 365 days) or as required to address threat, organizational, or environmental changes, and must be protected from unauthorized disclosure or modification.

Supply Chain Risk Management (SCRM) Team

The SCRM Team at CMS is dedicated to maintaining supply chain integrity. They address both cyber and non-cyber risks to CMS data and information systems from external suppliers, products, and services.

The Division of Strategic Information (DSI) coordinates CMS SCRM efforts under the authority of the Chief Information Security Officer (CISO), with a well-articulated CMS SCRM Program Manual.

The SCRM Team can be contacted at SupplyChainRiskManagement@cms.hhs.gov.

Supply Chain Controls and Processes

The CMS SCRM Program Manual documents the enterprise strategy of established controls and processes that ensure externally provided systems, system components, and services meet CMS security and privacy requirements. It details the roles and responsibilities, as well as the tiered supply chain risk management approach.

Acquisition Strategies, Tools, and Methods

CMS contracts and agreements include language that mandates vendors and suppliers adhere to CMS security and privacy requirements, which align with the Federal Acquisition Regulation (FAR), the Privacy Act, and CMS policies and procedures.

CMS also provides supply chain risk management training and awareness to its workforce, equipping personnel with available mitigation strategies and risk response approaches.

The SCRM Team helps with supply chain risk assessments (SCRAs) or vendor risk assessments at any point during the acquisition lifecycle.

Supplier Assessments and Reviews

CMS performs periodic evaluations of vendors and service providers every 365 days to assess continued risk posture and compliance with CMS requirements. These reviews must ensure that vendors, their products, or services have not been flagged by any federal authority, nor have questionable ties with foreign governments. The results of the reviews form part of the security assessments and Authorization to Operate (ATO) packages.

Notification Agreements

CMS contractual agreements have built-in incident response clauses that require vendors to notify CMS of compromises in any of their products, personnel, or services, including software tampering or unauthorized third-party involvement.

Tamper Resistance and Detection

CMS ensures that hardware and software tamper-detection mechanisms are part of system acquisition and acceptance testing, so CMS suppliers must implement tamper detection, secure configuration, and vulnerability management practices.

With CMS’ Target Lifecycle governance process, which promotes business flexibility, continuous evaluation and situational reviews are achieved throughout the System Development Life Cycle (SDLC).

Inspection of Systems or Components

CMS requires systems or components to be inspected at random and/or annually (every 365 days) to detect tampering, or if there are indications of such need. These indications are captured in the CMS Acceptable Risk Safeguards (ARS).

Component Authenticity

Vendors must provide documentation of component authenticity and secure sourcing. CMS only uses trusted distributors and authorized resellers for procurement. Any detected counterfeit system component must be reported to:

• Source of counterfeit component
• CMS Cybersecurity Integration Center (CCIC)
• Cybersecurity and Infrastructure Security Agency (CISA)
• CMS SCRM Manager (defined in System Security and Privacy Plan – SSPP)

For additional information on incident reporting and handling, please see the Incident Response (IR) Informational Guide.

Anti-Counterfeit Training

CMS trains Information System Security Officers (ISSOs), System Owners, and other personnel to detect counterfeit system components, including hardware, software, and firmware, within its supply chain, using various tools and industry standards for inspection, testing, and authentication (IT&A).

Configuration Control for Component Service and Repair

CMS maintains configuration control by documenting and updating a current baseline for all system components, including those awaiting service or return to service.

To ensure non-repudiation and prevent unauthorized changes, CMS implements a two-person rule to validate any component and configuration changes. Any exceptions to mandatory configuration settings must be identified, documented, and reviewed, considering development, operational, and delivery requirements.

Component Disposal

CMS business/system components that have processed, transmitted, or stored sensitive information may be reused for the same purpose within CMS control. If components are repurposed, they must be thoroughly sanitized in line with CMS media sanitization policies. Components leaving CMS control must be sanitized or destroyed to prevent unauthorized use or disclosure of residual information. NIST SP 800-88 Rev. 1 provides additional information on media sanitization techniques and methods.

Summary of SCRM at CMS

CMS implements a comprehensive, policy-driven approach to meet the SCRM requirements under the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), from categorize to authorize, especially in:

• Acquisition planning
• System Security and Privacy Planning (SSPP)
• Third-party contract management
• Assessment and continuous monitoring