Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

Published

Author(s)

Jeremy Licata, Rebecca McWhite, Laura Calloway, Meghan Anderson, Julie Snyder, Dylan Gilbert, Jeremy Miller

Abstract

The system security plan, system privacy plan, and cybersecurity supply chain risk management plan are collectively referred to as system plans. They describe the purpose of the system, the operational status of the controls selected and allocated for meeting risk management requirements, and the responsibilities and expected behavior of all individuals who manage, support, and access the system. This publication identifies essential elements of system plans from security, privacy, and cybersecurity supply chain risk management perspectives to promote consistent information collection across the organization, regardless of the system's mission or business function.
Citation
Special Publication (NIST SP) - 800-18r2
Report Number
800-18r2

Keywords

authorization boundary, authorizing official, common control authorization, control implementation details, cybersecurity supply chain risk management plan, privacy plan, privacy risk management, risk management framework, security plan, security risk management, authorization to operate, authorization to use, authorizing official designated representative, CASES Act, control implementation, controls, FASCSA, FISMA, ongoing authorization, Privacy Act, supply chain, supply chain risk management, system privacy plan, system security plan, system owner

Citation

Licata, J. , McWhite, R. , Calloway, L. , Anderson, M. , Snyder, J. , Gilbert, D. and Miller, J. (2026), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-18r2, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=962039 (Accessed July 1, 2026)
Additional citation formats

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created June 30, 2026
Was this page helpful?