NIST 800-53 r5 · Controls catalogue · Family PM
PM-30Supply Chain Risk Management Strategy
Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; Implement the supply chain risk management strategy consistently across the organization; and Review and update the supply chain risk management strategy on {{ insert: param, pm-30_odp }} or as required, to address organizational changes.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-798 | Use of Hard-coded Credentials | 1,955 | Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 300 | SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code. |
CWE-1392 | Use of Default Credentials | 89 | Consistent implementation of the strategy drives removal or mitigation of default credentials in procured systems and services. |
CWE-506 | Embedded Malicious Code | 80 | Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators. |
CWE-912 | Hidden Functionality | 79 | Policy requires supplier transparency and testing to detect hidden functionality or backdoors inserted in the supply chain. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Organization-wide SCRM policy includes ongoing evaluation of third-party component support lifecycles to avoid unmaintained dependencies. |
CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | 14 | Review and update processes include scrutiny of undocumented features or debug mechanisms provided by component manufacturers. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||