Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST releases the finalized C-SCRM Due Diligence Assessment Quick-Start Guide

This Quick-Start Guide based on the widely adopted content in NIST SP 800-161r1 proposes an implementation-ready approach to conducting the minimum amount of reasonable research and investigative rigor on potential suppliers.

Cybersecurity supply chain risk management (C-SCRM) assessments start with due diligence. Acquirers who make procurement decisions need to be informed about potential supplier risks before those decisions are executed. Consequently, many acquisition operating procedures strongly recommend or even require an assessment of a supplier’s risk prior to entering into an agreement with them.

Based on the widely adopted content in NIST Special Publication (SP) 800-161r1, this finalized Quick-Start Guide proposes an implementation-ready approach to conducting the minimum amount of reasonable research and investigative rigor on potential suppliers. Identifying the primary risk factors that an acquirer should consider can enable quick, informed turnarounds despite limited resources.

Released July 8, 2026
Was this page helpful?