Generated from the official FedRAMP/docs GitHub repo. Source path: FRMR.documentation.json on main at blob 5c6bfee74029. FRMR version: 0.9.43-beta · upstream last_updated: 2026-04-08. The official FedRAMP/rules repo exists, but grclanker still treats FedRAMP/docs as the active source until structured rules land there.

Supply Chain Risk

Domain code: SCR · Domain ID: KSI-SCR · Web slug: supply-chain-risk

Theme

A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources.

Indicators

KSI-SCR-MIT (formerly KSI-TPR-03) — Mitigating Supply Chain Risk

Persistently identify, review, and mitigate potential supply chain risks.

Mapped Rev5 controls: ac-20, ra-3.1, sa-9, sa-10, sa-11, sa-15.3, sa-22, si-7.1, sr-5, sr-6, ca-7.4, sc-18

Terms: Persistently

Recent update: 2026-02-04 — Renamed theme to Supply Chain Risk; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-SCR-MON (formerly KSI-TPR-04) — Monitoring Supply Chain Risk

Automatically monitor third party software information resources for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services.

Mapped Rev5 controls: ac-20, ca-3, ir-6.3, ps-7, ra-5, sa-9, si-5, sr-5, sr-6, sr-8

Terms: Information Resource, Vulnerability

Recent update: 2026-02-09 — Renamed from incorrect KSI-RSC-MON to KSI-SCR-MON; no material changes.