SR β Supply Chain Risk Management Domain Notes
CMMC Domain: SR (Supply Chain Risk Management)
NIST 800-171 Family: 3.17.x (Rev 3) / CMMC Level 2 added in final rule
General Notes
Third-Party Risk
- Any external service provider that processes, stores, or transmits CUI is in scope
- Must document external service providers (CSPs, SIEMs, backup vendors, etc.)
- Shared Responsibility Matrix (SRM) required for cloud services β get one from every CSP
- MSPs managing in-scope systems must be addressed β may require their own CMMC assessment
MSP In-Scope Question
- Active community discussion: if MSP builds and manages your L2 environment, who's responsible during the assessment?
- MSP access to CUI systems likely puts them in scope as an External Service Provider (ESP)
- Source: https://old.reddit.com/r/CMMC/comments/1r2484v/ (2026-02-11, score 7, 25 comments)
CAGE Code / Contract Flow-Down
- Flow-down requirements to subcontractors are real β you may need to verify your subs
- CAGE codes added post-assessment: active thread (2026-02-06)
- Source: https://old.reddit.com/r/CMMC/comments/1qxlept/ (2026-02-06)
False SPRS Self-Assessment
- Community flagged cases of subcontractors with false CMMC Level 2 self-assessment in SPRS
- Liability concern if prime contractor doesn't verify subs
- Source: https://old.reddit.com/r/CMMC/comments/1q8oz24/ (2026-01-09, score 9)
Free DIB Supply Chain Tool
- Community member built a free local tool for DIB supply chain risk
- Source: https://old.reddit.com/r/CMMC/comments/1r41oga/ (2026-02-13, score 5)
Related Posts
- If an MSP built and manages your level 2 environment β 2026-02-11
- Adding CAGE codes post assessment β 2026-02-06
- Subcontractor False CMMC Level 2 Self-assessment in SPRS β 2026-01-09
- Free local tool for DIB supply chain risk β 2026-02-13