C-SCRM - Roles and Responsibilities

1. Roles and Responsibilities

The following personnel are critical to the successful completion of the C-SCRM strategy. Their roles and responsibilities for the program are as follows:

Role

Responsibilities

Senior Leadership

Endorse the enterprise’s C-SCRM strategic objectives and implementation plan,

Provide oversight of C-SCRM implementation and effectiveness

Communicate C-SCRM direction and decisions for priorities and resourcing needs

Determine the enterprise’s risk appetite and risk tolerance

Respond to high-risk C-SCRM issue escalations that could impact the enterprise’s risk posture in a timely manner

Mission and Business Owners

Determine mission-level risk appetite and tolerance, ensuring that they are in line with enterprise expectations

Define supply chain risk management requirements and the implementation of controls that support enterprise objectives

Maintain criticality analyses of mission functions and assets

Perform risk assessments for mission and business-related procurements

C-SCRM Program Executive

Leading the establishment, development, and oversight of the C-SCRM Program in coordination and consultation with designated C-SCRM Leads

Establishing and serving as the Chair of the C-SCRM PMO[1]

Escalating and/or reporting C-SCRM issues to Senior Officials, as may be appropriate

C-SCRM Leads

Incorporating relevant C-SCRM functions into enterprise and position-level functions

Implementing and conforming to C-SCRM Program requirements

Representing the interests and needs of C-SCRM PMO members

Leading and/or coordinating the development and execution of program or business-line C-SCRM plans

Business Process C-SCRM Staff

The primary execution of C-SCRM activities (e.g., supplier or product assessments)

Support for business-specific C-SCRM activities driven by non-CSCRM staff.

Table 1: Roles and Responsibilities

2. Assigned Personnel

The following personnel are assigned to the above roles:

Role

Assigned

C-SCRM Program Executive

C-SCRM Leads

Business Process C-SCRM Staff

Table 2: Assigned Personnel

3. Revision and Maintenance

MRC’s C-SCRM Roles and Responsibilities table must be reviewed on an annual basis, at minimum, since changes to laws, policies, standards, guidelines, and controls are dynamic and evolving.

Additional criteria that may trigger interim revisions include:

A change of policies that impact the C-SCRM program,
Significant C-SCRM events,
The introduction of new technologies,
The discovery of new vulnerabilities,
Operational or environmental changes,
Shortcomings in the C-SCRM policy,
A change of scope,
A change of personnel, and
Other enterprise-specific criteria.

Version

Date

Description of Change/Revision

Section/Pages Affected

Changes Made By

1.0

First draft

All

Trinity Cyber Security

Table 3: Version Management

[1] This team will be comprised of the chair and the designated C-SCRM Leads and will be responsible for developing and coordinating C-SCRM strategy, implementation plans, and actions that address C-SCRM-related issues; program reporting and oversight; and identifying and making program resource recommendations.