This chapter presents the standard and process as a means to demonstrate an effective risk management scheme and the ability to be extended to apply to the underlying principles of supply chain risk management. It describes the tasks that ensure adequate security control selection within the Information and Communication Technology product chain. The process of risk management must include identifying and controlling information as it is created within the supply chain, risk identification, a risk-control process and prioritizing their importance. A security program, whether at the organization or the system level, should include an appropriate mix of security controls: management, operational, and technical. Within the security plan are the justifications for all of the decisions made during the initial security control selection, tailoring, and supplementation processes. Organizational tracking systems that have been put into place through configuration management activities should be updated to identify the system or system components taken out of service.