Sub-Tier Flow Down
Supply Chain Risk Management
NIST Control Text
Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.
NIST Discussion
To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the flow down of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in SR-3b.
SL5 Supplemental Guidance
Apply SP 800-161 Rev 1 guidance [3] for contractual flow-down of security requirements from prime contractors to relevant sub-tier contractors throughout the supply chain, with due diligence on upstream dependencies including fourth- and fifth-party suppliers.