(U//FOUO) Committee on National Security Systems Supply Chain Risk Management (SCRM) Directive

The following CNSS directive from the website of a company called RMF Certifiers.


Committee on National Security Systems Directive No. 505

  • 12 pages
  • For Official Use Only
  • March 7, 2012


1. (U//FOUO) In accordance with CNSSP No. 22, “Information Assurance Risk Management Policy for National Security Systems” and the strategy established by the Comprehensive National Cybersecurity Initiative (CNCI), this Directive assigns responsibilities, and establishes the minimum criteria for the development and deployment of capabilities for the protection of National Security Systems (NSS), as defined in Reference d, from supply chain risk.


2. (U) This Directive derives its authority from National Security Directive (NSD)-42, (Reference A) which outlines the roles and responsibilities for securing NSS, as affirmed by E.O. 12333 (Reference E).

3. (U) Nothing in this Directive shall alter or supersede the authorities of the Director of National Intelligence.


4. (U) This directive applies to all departments, agencies, bureaus, and offices of the U.S. Government; their employees; and supporting contractors and agents that own, operate, use, maintain, procure, secure, develop, or manage NSS, as defined in Reference D.

5. (U) Organizations may implement more stringent requirements than those included in this Directive as necessary to support their mission(s).


6. (U//FOUO) U.S. Government departments and agencies shall establish an organizational supply chain risk management (SCRM) capability to identify and manage supply chain risk to NSS early and throughout their entire system lifecycle through the use of acquisition and engineering mitigations informed by all-source supply chain threat information.

7. (U//FOUO) Elements acquired for use within NSS shall be commensurately assured based on:

a. (U//FOUO) The criticality of the system to the mission, and

b. (U//FOUO) The role of the element in achieving, protecting, or impacting the mission critical functions of the system.


8. (U//FOUO) Heads of U.S. Government departments and agencies shall develop and document a strategy for the planned evolution of the department or agency-specific SCRM capability that shall include:

a. (U//FOUO) Integrating SCRM practices and risk mitigations, including threat support to acquisition, into department or agency-specific system and acquisition life cycle processes, security capabilities, and an enterprise-wide risk management policy consistent with National Institute of Standards and Technology (NIST) Special Publication 800-39 and the CNCI 11 SCRM Strategy and Implementation Plan.

b. (U//FOUO) Initiating SCRM capability within one year of this directive’s issue date to begin incremental implementation and to gain the experience necessary to identify and develop the plans, tools, and skills necessary to achieve a full-scale SCRM capability. Initial SCRM capabilities shall include:

1) (U//FOUO) Establishing processes and policy for using all-source threat information, in coordination with the Office of the Director of National Intelligence (ODNI), Office of the National Counterintelligence Executive (ONCIX).

2) (U//FOUO) Developing and implementing minimum standards for threat assessments to inform risk management decisions for mission-critical elements of NSS.

3) (U//FOUO) Identifying and prioritizing NSS for initial implementation of SCRM best practices (See ANNEX C).

c. (U//FOUO) Resourcing plans, to include major milestones to implement a full-scale SCRM capability to protect NSS within six years of the date of issue of this directive.

d. (U//FOUO) Processes which prioritize mission-critical elements of NSS for SCRM and which apply SCRM across the lifecycle of NSS, including systems acquisitions and commodity purchases.

e. (U//FOUO) Identifying the appropriate lead organization for the governance and support of the full-scale SCRM capability. The lead organization shall:

1) (U//FOUO) Establish agency-specific policies and procedures for SCRM.
2) (U//FOUO) Coordinate with internal and external organizational stakeholders for the implementation and governance of the enterprise SCRM capability.
3) (U//FOUO) Establish a mechanism and procedures for addressing threat that current engineering and acquisition mitigations and countermeasures cannot address.
4) (U//FOUO) Develop awareness, education, and training for personnel on supply chain risks and mitigations.
5) (U//FOUO) Establish a process for documenting how supply chain risks have been addressed and using this information for future risk mitigation and SCRM activities.
6) (U//FOUO) Provide regular reporting, as directed by the National Security Staff, on implementation progress and effectiveness of SCRM capabilities as part of the CNCI, through the appropriate CNCI leadership, including the SCRM Senior Steering Group.

9. (U//FOUO) The Office of the Director of National Intelligence (ODNI), Office of the National Counterintelligence Executive (ONCIX), shall develop standards, methodologies, and tools to assist departments and agencies in implementing threat assessments to inform risk management decisions for mission-critical elements of NSS.


10. (U//FOUO) SCRM Capability

a. (U//FOUO) Threat support to acquisition – Organizations shall use all-source intelligence assessments on potential suppliers (e.g., re-sellers, component manufacturers, product manufacturers, system integrators) to inform acquisition and risk management decisions for critical elements, subsystems, and systems used within NSS, in accordance with applicable laws, regulations, Executive Orders, and policies. Departments and agencies shall work with ONCIX to develop and implement all-source intelligence threat assessments in acquisition decision making, in accordance with the CNCI 11 SCRM Strategy and Implementation Plan. The ONCIX provides the minimum standards, along with methodologies, tools, and best practices to conduct counterintelligence analysis on supply chain threats. Agencies will follow ONCIX’s guidelines when developing threat assessments. ONCIX supports the U. S. Government by serving as the national clearing house for threat information affecting the supply chain, enabling these organizations to develop and implement effective mitigation strategies.

Share this: