Supply Chain β Vendor Risk Tier Scoring Exemplar
Stella Maris Governance LLC Redacted structural exemplar β not a complete client deliverable
Control Objective
Establish a structured vendor risk tier scoring methodology that categorizes supply chain partners based on CUI exposure, DFARS flow-down obligation, access scope, and compliance posture. This pack governs how organizations assess, score, and validate subcontractor risk within the Defense Industrial Base supply chain.
Control Structure
| Control ID | Objective | Evidence Required | Framework Mapping |
|---|---|---|---|
| VRT-01 | Establish formal vendor risk classification criteria aligned to CUI exposure levels | Vendor risk classification policy, tier definition matrix, CUI scope assessment methodology | NIST 800-161 SR-6 / DFARS 252.204-7012 |
| VRT-02 | Conduct initial risk tier assignment for all subcontractors with CUI access or flow-down obligations | Completed tier assessment records, subcontractor CUI scope documentation, initial risk scoring worksheets | NIST 800-161 SR-3 / DFARS 252.204-7019 |
| VRT-03 | Validate subcontractor self-attestation against documented NIST 800-171 implementation status | Attestation validation records, gap analysis documentation, SPRS score verification evidence | NIST 800-161 SR-5 / DFARS 252.204-7020 |
| VRT-04 | Implement risk-based review cadence aligned to vendor tier classification | Review schedule documentation, tier-based cadence matrix, completed periodic review records | NIST 800-161 SR-2 / DFARS 252.204-7012 |
| VRT-05 | Establish escalation and remediation procedures for subcontractors failing tier requirements | Escalation policy, remediation plan templates, non-compliance action documentation | NIST 800-161 SR-11 / DFARS 252.204-7012 |
This exemplar displays a representative subset of controls from a structured 10-control pack maintained within the firm's private governance system. Full pack available through advisory engagement.
Evidence Traceability
| Control | Evidence Artifact | Storage Location | Review Cadence |
|---|---|---|---|
| VRT-01 | Vendor Risk Classification Policy (VRCP-001) | Controlled Governance Repository | Annual review |
| VRT-02 | Tier Assessment Records (TAR-001 through TAR-n) | Controlled Governance Repository | Per-vendor, event-driven |
| VRT-03 | Attestation Validation Worksheets (AVW-001) | Controlled Governance Repository | Annual per subcontractor |
| VRT-04 | Tier-Based Review Cadence Matrix (TRCM-001) | Controlled Governance Repository | Semi-annual review |
| VRT-05 | Escalation & Remediation Policy (ERP-001) | Controlled Governance Repository | Annual review, event-driven update |
Implementation Guidance
Vendor risk tier scoring begins with defining classification criteria based on CUI exposure scope, data handling requirements, and DFARS flow-down applicability. Organizations should establish a minimum three-tier structure (Critical, Standard, Limited) with documented criteria for each tier. Scoring should incorporate both self-attestation review and objective compliance indicators including SPRS scores, prior assessment findings, and incident history. Evidence should demonstrate systematic application of tier methodology across the complete subcontractor population.
Assessment Alignment
This pack is structured for third-party assessor review. Control objectives map directly to NIST SP 800-161 supply chain risk management requirements and DFARS 252.204-7012/7019/7020 compliance obligations. Evidence artifacts are version-controlled and traceable within the firm's controlled governance repository. Assessment preparation includes validation of tier assignment consistency, review cadence compliance, and escalation procedure documentation.
Stella Maris Governance β Pre-Assessment Readiness Validation stellamarisgovernance.com