Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family PM

PM-30Supply Chain Risk Management Strategy

Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; Implement the supply chain risk management strategy consistently across the organization; and Review and update the supply chain risk management strategy on {{ insert: param, pm-30_odp }} or as required, to address organizational changes.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 15 mapping(s) from 1 framework(s): CSF 2.0 15 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (9)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-798Use of Hard-coded Credentials2,013Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.
CWE-1188Initialization of a Resource with an Insecure Default335SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors.
CWE-829Inclusion of Functionality from Untrusted Control Sphere298Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
CWE-494Download of Code Without Integrity Check252Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.
CWE-1392Use of Default Credentials104Consistent implementation of the strategy drives removal or mitigation of default credentials in procured systems and services.
CWE-506Embedded Malicious Code85Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.
CWE-912Hidden Functionality79Policy requires supplier transparency and testing to detect hidden functionality or backdoors inserted in the supply chain.
CWE-1104Use of Unmaintained Third Party Components21Organization-wide SCRM policy includes ongoing evaluation of third-party component support lifecycles to avoid unmaintained dependencies.
CWE-1242Inclusion of Undocumented Features or Chicken Bits14Review and update processes include scrutiny of undocumented features or debug mechanisms provided by component manufacturers.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family PM

PM-1 PM-10 PM-11 PM-12 PM-13 PM-14 PM-15 PM-16 PM-17 PM-18 PM-19 PM-2 PM-20 PM-21 PM-22 PM-23 PM-24 PM-25 PM-26 PM-27 PM-28 PM-29 PM-3 PM-31 PM-32 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9