The Supply Chain Risk Management (SCRM) Policy and supporting documents are significant to the CMMC model, especially considering the complex and interconnected nature of the defense supply chain. The CMMC emphasizes the security practices of its suppliers and partners. The DIB relies on a vast network of suppliers and subcontractors, each potentially introducing vulnerabilities. A SCRM policy and supporting documents help to identify, assess, and mitigate risks posed by third parties who may handle or access Controlled Unclassified Information (CUI) or other sensitive data. These documents describe a governance and evaluation program for critical vendors.