[Verse 1] Pentagon contracts cascade downward through the chain CMMC Level Two demands your vendors do the same No more handshakes with suppliers who can't prove their game Third-party risk assessment separates wheat from grain [Chorus] Flow it down, lock it tight SCRM controls at every site Tier One tells Tier Two What Tier Two must push right through Document the vendor screen Map the critical fourteen Flow it down, make it stick Supply chain armor thick [Verse 2] Small shops scramble when the prime contractor calls "Show me how you guard the data behind your firewall walls" System Security Plans must cover vendor halls One weak link in cyberspace and the whole mission stalls [Chorus] Flow it down, lock it tight SCRM controls at every site Tier One tells Tier Two What Tier Two must push right through Document the vendor screen Map the critical fourteen Flow it down, make it stick Supply chain armor thick [Bridge] Controlled Unclassified Information travels deep Through subcontractors who must earn the right to keep Federal contract data while they manufacture steep Requirements for compliance that make accountants weep [Verse 3] Due diligence questionnaires probe supplier bones Risk registers capture threats in standardized zones Incident response procedures for breach-damaged phones Supply chain transparency down to microphone components [Final Chorus] Flow it down, lock it tight SCRM controls at every site Tier One tells Tier Two What Tier Two must push right through Document the vendor screen Map the critical fourteen Flow it down, make it stick Supply chain armor thick Defense depends on every link
← 2 NIST SP 800-171 Rev 3 and the SCRM Family | Trust But Verify Every Time →