Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Open for Public Comment | Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

NIST has released the initial public draft (ipd) of Special Publication (SP) 800-18r2. The comment period is open through July 30, 2025.

NIST has released the initial public draft (ipd) of Special Publication (SP) 800-18r2 (Revision 2), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems.

The system security plan, privacy plan, and cybersecurity supply chain risk management plan consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. These system plans serve as a centralized point of reference for information about the system and risk management decisions, including data being created, collected, disseminated, used, stored, and disposed of; the individuals responsible for system risk management efforts; details about the internal and external environments of operation, system components, and data flows; and controls that are planned or in place to manage risks.

The comment period is open through July 30, 2025. See the publication details for a copy of the draft, supplemental files, and a comment template. Commenters are encouraged to use that template and submit feedback tosec-cert [at] nist.gov (Subject: SP800-18r2IPDComments) ( sec-cert[at]nist[dot]gov) with “SP 800-18r2 ipd comments” in the subject.

Released June 4, 2025
Was this page helpful?