Compliance
A survey of FedRAMP’s new supply chain requirements
Over the past few years, supply chain management has shifted from a background requirement that everyone unknowingly relies upon, to being a commonly talked about aspect of our everyday lives. The Federal government has ramped up its effort to gain a handle on supply chain threats as a result of many recent compromises to government information systems and critical infrastructure.
Key takeaways:
- Supply chain management is not brand new. It has existed for a while now within Defense Federal Acquisition Regulation Supplement (DFARS) Part 252 and SA-12, first existing in NIST 800-53 revision 3 for systems with a High FIPS-199 categorization.
- FedRAMP’s focus in 2022 on supply chain requirements have significantly increased through the publication of the new supply chain risk management (SR) control family in NIST 800-53 revision 5.
- CSPs adhering to the FedRAMP standard will need to itemize their Cloud Service Offering (CSO) vendors and develop a risk management plan for supply chains.
- Vendors will need to be reviewed for NIST 800-171 compliance by the CSP on an annual basis.
Supply chain management<\/strong><\/p>\r\n\r\n
Over the past few years, supply chain management has shifted from a background requirement that everyone unknowingly relies upon, to being a commonly talked about aspect of our everyday lives. The Federal government has ramped up its effort to gain a handle on supply chain threats as a result of many recent compromises to government information systems and critical infrastructure. Through the presidential executive order on improving the nation’s cybersecurity (May 2021)<\/a> and the earlier finalized publication of NIST 800-53 revision 5 (September 2020)<\/a>, it will come as no surprise that FedRAMP will place a special emphasis on this domain once the FedRAMP 800-53 revision 5 baselines are finalized later this year.<\/p>\r\n\r\n