CMMC Practice SI.2.214
Monitor system security alerts and advisories and take action in response.
Bold Coast Security Guidance
The US-CERT security alert mailing list is one of the easiest and most informative lists available. You can subscribe to it here: https://www.us-cert.gov/mailing-lists-and-feeds.
Also. subscribe to any local or organizational ISAC's you may have identified in practice IR.4.100.
Your policy will state that you are monitoring these lists, and identify the lists you subscribe to in your plan. Be sure to refer back to this list on a regular basis, every year or so, and be sure the information is still relevant to your organization, or if you should add to it, in order to meet maturity level 4.
DRAFT NIST SP 800-171 R2
There are many publicly available sources of system security alerts and advisories. The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government and in non-federal organizations. Software vendors, subscription services, and relevant industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations.
NIST SP 800-161 provides guidance on supply chain risk management.