The Initial Public Draft for SP 1326, NIST Cybersecurity Supply Chain Risk Management: Due Diligence Assessment Quick-Start Guide; is available for public comment. The public comment period is open through December 16, 2024.
Cybersecurity supply chain risk management (C-SCRM) assessments start with due diligence. Acquirers who make procurement decisions need to be informed about potential supplier risks before those decisions are executed. Consequently, many acquisition operating procedures strongly recommend or even require an assessment of a supplier’s risk prior to entering into an agreement with them.
Based on the widely adopted content in NIST Special Publication (SP) 800-161r1, this new draft Quick-Start Guide proposes an implementation-ready approach to conducting the minimum amount of investigative rigor on potential suppliers. Identifying the primary risk factors that an acquirer should consider can enable quick turnarounds with limited resources.
NIST welcomes comments on this initial public draft by December 16, 2024. Please email feedback to scrm-nist [at] nist.gov (scrm-nist[at]nist[dot]gov.)