Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Supply Chain Risk Management Practices: Second Draft SP 800-161 Rev. 1 Available for Comment

A second public draft of Special Publication (SP) 800-161 Revision 1, "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations," is open for comment through December 3, 2021.

NIST has just released the second public draft of Special Publication (SP) 800-161 Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, for public comment. We listened to your comments from earlier this year about the first version, we’ve made new changes, and we are hoping to get your feedback again on our new draft.

The initial public draft was published in April of 2021 and preceded the release of the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028)” issued on May 12, 2021. This EO charged multiple agencies—including NIST—with enhancing cybersecurity through a variety of initiatives, but with a specific focus on the security and integrity of the software supply chain.

What is different about this second version?

We worked on making the implementation guidance more consumable by different audiences by revising the structure of the document and adding Audience Profiles. We also added two NEW appendices focused more specifically on Federal departments and agencies: 

  • APPENDIX E: A Federal Acquisition Supply Chain Security Act of 2018 (FASCSA) appendix, which provides additional guidance tailored to federal executive agencies related to supply chain risk assessment factors, assessment documentation, risk severity levels, and risk response.   
  • APPENDIX F: A Response to Executive Order 14028’s Call to Publish Preliminary Guidelines or Enhancing Software Supply Chain Security appendix, which seeks to provide a response to the directives outlined within Section 4(c) of the EO by outlining existing industry standards, tools, and recommended practices within the context of SP 800-161 Revision 1, as well as any new standards, tools, and recommended practices stemming from the EO and recent developments in the discipline.

How are comments submitted?

Comments are due by December 3, 2021. The template for comment submissions, along with instructions and more information, can be found on our website. As always, we are thankful for your support; your ideas will continue to help shape our final publication to ensure it meets the needs and expectations of our customers. We plan to release a final draft of NIST SP 800-161 Revision 1 during the third quarter of 2022.  

Questions? Please email us at scrm-nist [at] nist.gov (subject: Comments%20on%20Second%20Draft%20SP%20800-161%20Rev.%201) (scrm-nist[at]nist[dot]gov).

Released October 28, 2021, Updated November 8, 2021