Stella Maris Governance LLC β Supply Chain Risk Governance
Public C-SCRM Framework | NIST SP 800-161 | Supplier Oversight Artifacts
Overview
This repository contains the public supply chain risk governance methodology and framework artifacts used by Stella Maris Governance LLC to support defense contractors implementing Cyber Supply Chain Risk Management (C-SCRM) programs aligned to NIST SP 800-161 Rev 1 and DFARS flow-down requirements.
Supply chain risk governance is one of the most underserved compliance requirements in the Defense Industrial Base. Most small and mid-tier contractors focus on their own CMMC posture while neglecting the obligation to govern the compliance posture of their own subcontractors and suppliers.
All materials are aligned to: - NIST SP 800-161 Rev 1 (C-SCRM practices) - DFARS 252.204-7012 / 7020 (flow-down requirements) - Executive Order 14028 (software supply chain security) - CMMC Level 2 (supply chain risk domain)
C-SCRM Framework Components
Supplier Risk Tiering
Three-tier supplier classification model based on CUI access, system integration depth, and criticality to operations:
| Tier | Classification | Oversight Level |
|---|---|---|
| Tier 1 | Critical β direct CUI access | Full assessment required |
| Tier 2 | Significant β indirect CUI exposure | Attestation + periodic review |
| Tier 3 | Standard β no CUI access | Self-certification acceptable |
Vendor Assessment Model
Structured methodology for evaluating supplier security posture, compliance status, and risk profile. Includes assessment criteria, scoring rubric, and conditional acceptance workflow.
Flow-Down Guidance
DFARS clause flow-down requirements and contractor obligations for managing subcontractor compliance. Covers 252.204-7012, 7019, and 7020 flow-down applicability determinations.
Risk Register Framework
Supplier risk tracking structure for maintaining ongoing visibility into supply chain risk posture. Includes risk categorization, mitigation tracking, and escalation criteria.
Repository Structure
/c-scrm-overview β C-SCRM program overview and regulatory context
/supplier-risk-framework β Supplier tiering methodology and classification model
/vendor-assessment-model β Vendor assessment criteria and scoring framework
/flowdown-guidance β DFARS flow-down requirements and applicability guidance
/risk-register-template β Supplier risk register structure and tracking framework
/supplier-governance-model β Ongoing supplier oversight and governance model
Scope
Materials in this repository are public, client-safe supply chain governance artifacts. All content is sanitized, illustrative, and non-client-specific.
Exclusions
Active supplier risk registers, client-specific vendor assessments, proprietary tiering decisions, and internal supplier governance records are maintained in the firm's internal source control environment and are not published here.
Stella Maris Governance LLC β Governance, compliance, and operational discipline for high-trust defense environments.