Thalorin
Thalorin
Open demo
Capabilities

Trusted Systems, Counterfeit Prevention & SCRM Compliance. Unified compliance infrastructure for the overlapping frameworks governing defense supply chain security. Manage NIST SP 800-161, DoDI 5200.44 criticality analysis, DFARS counterfeit prevention, Section 889 prohibited sources, and FOCI requirements through a single integrated workflow.

Abstract gradient
5
Frameworks unified
Section 889
Prohibited source tracking
NIST 800-161
Full compliance

The Convergence Problem

Supply chain risk management in defense acquisition requires simultaneous compliance with frameworks that evolved independently and now overlap significantly.

These frameworks share objectives but use different terminology, require different documentation, and impose different assessment criteria. Information that should flow between these efforts remains siloed.

NIST SP 800-161 Rev 1
C-SCRM methodology
DoDI 5200.44
Criticality analysis
DFARS 252.246-7007
Counterfeit prevention
Section 889
Prohibited sources
FOCI Requirements
Foreign ownership
Thalorin Unifies SCRM

Supplier assessments address all applicable frameworks simultaneously. Risk scores aggregate across compliance dimensions. Documentation generated for one requirement satisfies overlapping obligations in others.

Three-Tier C-SCRM Implementation

NIST Special Publication 800-161 Revision 1 provides the authoritative C-SCRM framework. The Supply Chain Risk control family in NIST 800-53 Rev 5 includes eleven controls: SR-1 through SR-11.

Level 1

Enterprise

Governance including policies, risk appetite, and organizational accountability

SR-1 Policy & Procedures
SR-2 Supply Chain Risk Management Plan
Organization-wide risk governance

Thalorin maps organizational practices to NIST 800-161 requirements across all three tiers, generating C-SCRM plans and tracking control implementation status in enterprise risk dashboards.

Criticality Analysis & Trusted Systems

Criticality levels determine the intensity of supplier risk assessment. Programs must conduct functional decomposition tracing missions to ICT components.

I
Mission Critical

Total mission failure

DIA threat assessment required
II
Mission Significant

Significant mission compromise

DIA threat assessment required
III
Mission Support

Limited mission impact

Standard supplier vetting
DIA Threat Assessment Center

For Level I and Level II critical components, the Defense Intelligence Agency provides classified threat analysis informing both supplier vetting and security controls.

Counterfeit Prevention System

15%
Estimated Counterfeit Parts

Industry estimates suggest 15 percent of DoD spare parts are counterfeit, with reported incidents continuing to increase.

60-Day Reporting Deadline

FAR 52.246-26 requires reporting counterfeit parts to GIDEP within 60 days of discovery.

DFARS mandates counterfeit prevention systems for contractors subject to Cost Accounting Standards, specifying twelve system criteria.

Training personnel in counterfeit detection
Inspecting and testing per AS6171 and AS6081 standards
Processes preventing counterfeit proliferation
Traceability from original manufacturer through Government acceptance
Using only suppliers meeting DFARS 252.246-7008 requirements
Reporting and quarantining counterfeit or suspect parts

Thalorin automates counterfeit prevention compliance with GIDEP monitoring, quarantine workflows, and incident reporting automation.

Prohibited Sources

Section 889 prohibits contracting with entities using equipment or services from covered telecommunications companies and their subsidiaries and affiliates.

Part A

Direct procurement of covered telecommunications equipment

Part B

Any entity using covered equipment anywhere in business operations

Part B's broad scope creates significant compliance challenges. Contractors must verify covered equipment does not exist anywhere in their enterprise, regardless of nexus to government work.

Covered Entities
Huawei Technologies
ZTE Corporation
Hytera Communications
Hangzhou Hikvision
Dahua Technology

Includes all subsidiaries and affiliates. Thalorin maintains current prohibited entity databases with subsidiary identification and remediation tracking.

Foreign Ownership, Control or Influence

FOCI requirements expanded dramatically under Section 847 of the FY2020 NDAA, extending reviews to unclassified contracts exceeding $5 million.

200K+
Contractors now subject to FOCI
$5M
Review threshold for unclassified contracts
7-8K
Annual FOCI reviews (up from 500-600)
FOCI Mitigation Instruments
Board Resolution

Limited foreign involvement

Intensity: Low
Security Control Agreement

Moderate foreign ownership

Intensity: Medium
Special Security Agreement

Substantial foreign ownership

Intensity: High
Proxy Agreement

Foreign government involvement

Intensity: Highest

DCSA adjudicates FOCI determinations and approves mitigation instruments. Thalorin tracks FOCI status across the supplier base and monitors ownership changes that could trigger concerns.

SPRS Integration

The Supplier Performance Risk System serves as DoD's authoritative source for supplier information. Contracting officers query SPRS before contract awards to verify eligibility and assess risk.

SPRS scores directly impact contract competitiveness. Suppliers with low assessment scores or poor delivery performance face increased scrutiny and potential exclusion.

NIST 800-171 Scores

Assessment scores directly impact contract competitiveness

On-Time Delivery

Delivery performance rates tracked across contracts

Quality Classifications

Quality indicators and corrective action status

CMMC Status

Certification tracking as enforcement begins

Thalorin integrates with SPRS to maintain current supplier risk profiles, track score trends, and validate assessment data before upload.

Multi-Tier Visibility

Supply chain risk does not stop at Tier 1 suppliers. Critical vulnerabilities often exist in sub-tier suppliers where prime contractors have limited visibility.

Industry estimates suggest most organizations have visibility into fewer than 50 percent of their sub-tier suppliers.

Tier 1Prime Contractors
High visibility
Tier 2Major Subcontractors
Medium visibility
Tier 3Component Suppliers
Low visibility
Tier 4+Raw Materials
Minimal visibility
Extended Visibility

Thalorin aggregates supplier information across program boundaries to build enterprise supply chain visibility. Risk indicators at any tier propagate to affected programs.

Platform Capabilities

NIST 800-161 Compliance

Three-tier C-SCRM implementation with control mapping

Criticality Analysis

Functional decomposition and DIA coordination tracking

Counterfeit Prevention

DFARS compliance with GIDEP monitoring

Section 889 Screening

Prohibited entity database with validation

FOCI Management

Ownership monitoring and mitigation tracking

SPRS Integration

Assessment score tracking and validation

Supplier Risk Scoring

Aggregated metrics across compliance dimensions

Multi-Tier Mapping

Sub-tier visibility with risk propagation

Incident Response

Counterfeit discovery and breach coordination

Audit Documentation

Evidence packages for all SCRM requirements

Key Metrics

60days

GIDEP counterfeit reporting deadline

$5M

FOCI review threshold for unclassified contracts

78

DMEA accredited trusted suppliers

11

NIST 800-53 Rev 5 SR control family

Ready to unify supply chain risk management?

See how Thalorin consolidates NIST 800-161, DFARS counterfeit prevention, Section 889, and FOCI compliance into a single workflow tailored to your supplier base.

Request Briefing