Supply-chain risk management (SCRM) plan

Many government agencies are now requiring contractors to submit a Supply-Chain Risk Management (SCRM) Plan Template with their proposal or as one of a project’s early phase deliverables.

Due to the growing sophistication and complexity and the globalization of information and communications technology (ICT) supply chains, federal agency information systems are increasingly at risk of compromise. ICT supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software, as well as poor manufacturing and development practices in the ICT supply chain.

These risks are associated with the federal agency’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.

Currently, federal agencies, and many private sector integrators and suppliers use varied and nonstandard practices, which makes it difficult to consistently measure and manage ICT supply chain risks across different organizations. ICT Supply Chain Risk Management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains.

Here is a fact sheet (PDF) about ICT SCRM published by the National Institute of Standards and Technology (NIST).

Here is a detailed GOVPROP SCRM template for an IV&V project:

IV&V SCRM Template (Word document)

Please note: The information available this document is intended to be a general information resource regarding the matters covered, but is not offered as legal, accounting or other professional advice, and is not tailored to your specific circumstance. You should evaluate all information, opinions and advice available in this document in consultation with your own experts.