Open for Public Comment | Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

NIST has released the initial public draft (ipd) of Special Publication (SP) 800-18r2 (Revision 2), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems.

The system security plan, privacy plan, and cybersecurity supply chain risk management plan consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. These system plans serve as a centralized point of reference for information about the system and risk management decisions, including data being created, collected, disseminated, used, stored, and disposed of; the individuals responsible for system risk management efforts; details about the internal and external environments of operation, system components, and data flows; and controls that are planned or in place to manage risks.

The comment period is open through July 30, 2025. See the publication details for a copy of the draft, supplemental files, and a comment template. Commenters are encouraged to use that template and submit feedback tosec-cert [at] nist.gov (Subject: SP800-18r2IPDComments) ( sec-cert[at]nist[dot]gov) with “SP 800-18r2 ipd comments” in the subject.