03.17.03 — (a) Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes. (b) Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: {{ insert: param, A.03.17.03.ODP.01 }}.

What this control requires

(a) Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes. (b) Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: {{ insert: param, A.03.17.03.ODP.01 }}.

Source: NIST SP 800-171 R3 §03.17.03 (official control text).

Why this matters

Supply chain attacks target the vendors, tools, and service providers an organization depends on before malicious code or compromised hardware ever reaches internal systems. Recent high-profile breaches prove adversaries infiltrate trusted suppliers to bypass perimeter defenses and gain persistent access to thousands of downstream customers simultaneously. This control requires the organization to systematically identify weak links in its technology and service supply chains, establish security requirements for suppliers, and create processes to detect and respond to supply chain compromises before they propagate into production environments.

What evidence assessors expect

Assessors typically look for: PDF, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.