The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to the university. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans.


  • This control applies to the university Chief Information Security Officer.


  • 1

    It is the responsibility of the Chief Information Security Officer or designee to develop, document, disseminate a university-wide supply chain risk management policy that:

    • 1.1

      Addresses purpose, scope, roles, responsibilities, management commitment, coordination among university entities, and compliance;

    • 1.2

      Is consistent with applicable federal and state laws, executive orders, directives, regulations, system and university policies, standards, and guidelines;

    • 1.3

      Develops procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; and

    • 1.4

      Ensures the supply chain risk management policy and procedures are reviewed and updated annually.