Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Releases Draft NISTIR 8276 for Comment, “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry,” and Publishes Cyber SCRM Case Studies

Draft NISTIR 8276, "Key Practices in Cyber Supply Chain Risk Management: Observations from Industry” is available for comment; the comment period closes March 4, 2020. Six new Case Studies in Cyber SCRM are also available, along with a "Summary of Fin

NIST requests feedback on Draft NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from industry. This publication is based on an analysis of interviews with companies in 2015 and 2019, which led to the development of 24 case studies; prior NIST research in cyber supply chain risk management research; and a number of standards and industry best practices documents. NISTIR 8276 is intended to provide a high-level summary of practices deemed by subject matter experts to be foundational to an effective cyber supply chain risk management program.

A public comment period for this document is open through March 4, 2020. See the publication details for a copy of the draft and instructions for submitting comments. NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

For additional information, see this NIST news article.


Additionally, NIST has published six new case studies on Cyber Supply Chain Risk Management. Since the release of the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and its companion Roadmap for Improving Critical Infrastructure Cybersecurity in 2014, NIST has researched industry practices in cyber supply chain risk management (C-SCRM) through engagement with industry leaders. In 2015, NIST subsequently released 18 case studies describing how various industry organizations approach C-SCRM.

The six new case studies published today describe how C-SCRM has evolved in companies that represent a diverse range of industries. Along with the case studies, NIST has included a Summary of Findings and Recommendations, which describes trends, correlations, and novel findings garnered from an analysis of the interviews as a whole.

Released February 4, 2020