csrc.nist.gov
Open in
urlscan Pro
2600:1f18:268d:1d01:f609:5e91:8a48:f546
Public Scan
URL:
https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
Submission: On May 02 via api from TR — Scanned from DE
Submission: On May 02 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
Name: site-search — GET /search
<form name="site-search" id="site-search-form" action="/search" method="GET">
<label for="search-csrc-query" class="element-invisible">Search</label>
<input autocomplete="off" class="form-control" id="search-csrc-query" name="keywords" type="text" size="15" maxlength="128" placeholder="Search CSRC">
<input type="hidden" name="ipp" value="25">
<input type="hidden" name="sortBy" value="relevance">
<input type="hidden" name="showOnly" value="publications,projects,news,events,presentations,glossary,topics">
<input type="hidden" name="topicsMatch" value="ANY">
<input type="hidden" name="status" value="Final,Draft">
<input type="hidden" name="series" value="FIPS,SP,NISTIR,ITL Bulletin,White Paper,Building Block,Use Case,Journal Article,Conference Paper,Book">
<button type="submit" id="search-csrc-submit-btn" class="form-submit">
<span class="element-invisible">Search</span>
<i class="fa fa-search"></i>
</button>
</form>Name: site-search-mobile — GET /search
<form name="site-search-mobile" id="site-search-form-mobile" action="/search" method="GET">
<label for="search-csrc-query-mobile" class="element-invisible">Search</label>
<input autocomplete="off" class="form-control" id="search-csrc-query-mobile" name="keywords" type="text" size="15" maxlength="128" placeholder="Search CSRC">
<button type="submit" id="search-csrc-submit-btn-mobile" class="form-submit">
<span class="element-invisible">Search</span>
<i class="fa fa-search"></i>
</button>
</form>Text Content
You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to
https://csrc.nist.gov.
You have JavaScript disabled. This site requires JavaScript to be enabled for
complete site functionality.
An official website of the United States government Here's how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share
sensitive information only on official, secure websites.
Search Search
CSRC MENU
Search Search
* Projects
* Publications Expand or Collapse
Drafts for Public Comment
All Public Drafts
Final Pubs
FIPS
Special Publications (SPs)
NISTIRs
ITL Bulletins
White Papers
Journal Articles
Conference Papers
Books
* Topics Expand or Collapse
Security & Privacy
Applications
Technologies
Sectors
Laws & Regulations
Activities & Products
* News & Updates
* Events
* Glossary
* About CSRC Expand or Collapse
Computer Security Division
* Cryptographic Technology
* Secure Systems and Applications
* Security Components and Mechanisms
* Security Engineering and Risk Management
* Security Testing, Validation, and Measurement
Applied Cybersecurity Division
* Cybersecurity and Privacy Applications
* National Cybersecurity Center of Excellence (NCCoE)
* National Initiative for Cybersecurity Education (NICE)
Contact Us
Information Technology Laboratory
Computer Security Resource Center
Publications
SP 800-161 REV. 1
CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT PRACTICES FOR SYSTEMS AND
ORGANIZATIONS
Share to Facebook Share to Twitter
Documentation Topics
Date Published: May 2022
Planning Note (5/5/2022):
The guidance from Appendix F, "Response to Executive Order 14028's Call to
Publish Guidelines for Enhancing Software Supply Chain Security," is available
at NIST's dedicated EO 14028 website.
AUTHOR(S)
Jon Boyens (NIST), Angela Smith (NIST), Nadya Bartol (Boston Consulting Group),
Kris Winkler (Boston Consulting Group), Alex Holbrook (Boston Consulting Group),
Matthew Fallon (Boston Consulting Group)
ABSTRACT
Organizations are concerned about the risks associated with products and
services that may potentially contain malicious functionality, are counterfeit,
or are vulnerable due to poor manufacturing and development practices within the
supply chain. These risks are associated with an enterprise’s decreased
visibility into and understanding of how the technology they acquire is
developed, integrated, and deployed or the processes, procedures, standards, and
practices used to ensure the security, resilience, reliability, safety,
integrity, and quality of the products and services.
This publication provides guidance to organizations on identifying, assessing,
and mitigating cybersecurity risks throughout the supply chain at all levels of
their organizations. The publication integrates cybersecurity supply chain risk
management (C-SCRM) into risk management activities by applying a multilevel,
C-SCRM-specific approach, including guidance on the development of C-SCRM
strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk
assessments for products and services.
Organizations are concerned about the risks associated with products and
services that may potentially contain malicious functionality, are counterfeit,
or are vulnerable due to poor manufacturing and development practices within the
supply chain. These risks are associated with an enterprise’s... See full
abstract
Organizations are concerned about the risks associated with products and
services that may potentially contain malicious functionality, are counterfeit,
or are vulnerable due to poor manufacturing and development practices within the
supply chain. These risks are associated with an enterprise’s decreased
visibility into and understanding of how the technology they acquire is
developed, integrated, and deployed or the processes, procedures, standards, and
practices used to ensure the security, resilience, reliability, safety,
integrity, and quality of the products and services.
This publication provides guidance to organizations on identifying, assessing,
and mitigating cybersecurity risks throughout the supply chain at all levels of
their organizations. The publication integrates cybersecurity supply chain risk
management (C-SCRM) into risk management activities by applying a multilevel,
C-SCRM-specific approach, including guidance on the development of C-SCRM
strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk
assessments for products and services.
Hide full abstract
KEYWORDS
acquire; C-SCRM; cybersecurity supply chain; cybersecurity supply chain risk
management; information and communication technology; risk management; supplier;
supply chain; supply chain risk assessment; supply chain assurance; supply chain
risk; supply chain security
CONTROL FAMILIES
None selected
DOCUMENTATION
Publication:
SP 800-161 Rev. 1 (DOI)
Local Download
Supplemental Material:
EO 14028: Software Security in Supply Chains (web)
NIST’s Cyber Supply Chain Risk Management Program (other)
NIST news article (web)
Related NIST Publications:
NISTIR 8286
Document History:
02/04/20: SP 800-161 Rev. 1 (Draft)
04/29/21: SP 800-161 Rev. 1 (Draft)
10/28/21: SP 800-161 Rev. 1 (Draft)
05/05/22: SP 800-161 Rev. 1 (Final)
TOPICS
Security and Privacy
acquisition; cybersecurity supply chain risk management
Laws and Regulations
Executive Order 14028
HEADQUARTERS
100 Bureau Drive
Gaithersburg, MD 20899
* twitter (link is external)
* facebook (link is external)
* linkedin (link is external)
* instagram (link is external)
* youtube (link is external)
* rss
* govdelivery (link is external)
Want updates about CSRC and our publications? Subscribe
Contact Us | Our Other Offices
Send inquiries to csrc-inquiry@nist.gov
* Site Privacy
* Accessibility
* Privacy Program
* Copyrights
* Vulnerability Disclosure
* No Fear Act Policy
* FOIA
* Environmental Policy
* Scientific Integrity
* Information Quality Standards
* Commerce.gov
* Science.gov
* USA.gov
* Vote.gov