NIST 800-53 r5 · Controls catalogue · Family SR
SR-2Supply Chain Risk Management Plan
Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }}; Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and Protect the supply chain risk management plan from unauthorized disclosure and modification.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Explicit protection of the plan from unauthorized disclosure and modification implements access controls on this sensitive artifact. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | The control directly mandates assessment and mitigation of risks from external suppliers, reducing inclusion of functionality from untrusted control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | The plan typically requires integrity verification steps for acquired code and components, directly addressing downloads lacking integrity checks. |
CWE-506 | Embedded Malicious Code | 80 | A supply chain risk management plan requires vetting suppliers and components to prevent introduction of embedded malicious code throughout the system lifecycle. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Supply chain planning includes ongoing evaluation of third-party component support and viability, making use of unmaintained components less likely. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||