The guidelines for cyber security regulations at domestic and foreign nuclear facilities, such as KINAC/RS-015, NRC’s RG5.71 and NEI 13-10, require the establishment of security measures to maintain the integrity of critical digital assets (CDAs) and protect them as threats to the supply process. According to the requirements, cyber security requirements shall be reflected in purchase requirements from the time of introduction of CDAs, and it shall also be verified whether cyber security security measures were properly applied before introduction. Domestic licensees apply measures to control the supply chain in the nuclear safety sector to cyber security policies. The safety sector supply chain control policy has areas that functionally overlap with the requirements of cyber security regulations, so regulatory guidelines in the safety sector can be applied. However, since most of the emergency preparedness and physical protection functions introduce digital commercial products, there is a limit to applying the control of the supply chain in the safety field as it is. It is necessary to apply supply chain control operator policies, procedures, and purchase requirements for each SSEP function, or to establish cyber security integrated supply chain control requirements. In this paper, based on the licensee’s current supply chain control policy, the cyber security regulation plan for supply chain control according to the SSEP (Safety-Security-Emergency Preparedness) function of CDAs is considered.