03.17.01 — (a) Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services. (b) Review and update the supply chain risk management plan {{ insert: param, A.03.17.01.ODP.01 }}. (c) Protect the supply chain risk management plan from unauthorized disclosure.

What this control requires

(a) Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services. (b) Review and update the supply chain risk management plan {{ insert: param, A.03.17.01.ODP.01 }}. (c) Protect the supply chain risk management plan from unauthorized disclosure.

Source: NIST SP 800-171 R3 §03.17.01 (official control text).

Why this matters

Organizations depend on external vendors for hardware, software, cloud services, and maintenance throughout a system's entire lifecycle. Adversaries exploit this by inserting malicious code during manufacturing, compromising update mechanisms, or leveraging trusted supplier access to infiltrate networks. A supply chain risk management plan systematically identifies where dependencies exist, assesses vendor trustworthiness, defines acceptance criteria for components and services, and establishes monitoring for anomalous behavior. Without documented SCRM processes, organizations cannot distinguish legitimate vendor activity from supply chain compromise, leaving critical infrastructure vulnerable to nation-state attacks, counterfeits, and insider threats embedded in third-party relationships.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.