NIST has released Special Publication (SP) 800-18r2 (Revision 2), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems. This revision broadens the scope of system planning to encompass three interconnected plan t
NIST has released Special Publication (SP) 800-18r2 (Revision 2), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems. This revision broadens the scope of system planning to encompass three interconnected plan types that are collectively referred to as "system plans": the system security plan, system privacy plan, and cybersecurity supply chain risk management (C-SCRM) plan. Essential system plan elements are correlated with the steps and tasks of the NIST Risk Management Framework (RMF) to provide a streamlined approach to system plan development.
The system security plan, privacy plan, and C-SCRM plan consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. These system plans serve as a centralized point of reference for information about the system and risk management decisions, including data being created, collected, disseminated, used, stored, and disposed of; the individuals responsible for system risk management efforts; details about the internal and external environments of operation, system components, and data flows; and controls that are planned or in place to manage risks.
This revision also emphasizes the use of machine-readable data formats to support automated data collection using widely deployed platforms, including Governance, Risk, and Compliance (GRC) tools; Security Orchestration, Automation, and Response (SOAR) platforms; and Security Information and Event Management (SIEM) systems. Reporting dashboards enabled by these platforms support near real-time risk management decision-making and reduce the reliance on static, point-in-time documentation.
Since organizations have varying needs and capabilities, NIST has developed a suite of supplemental materials that are available alongside the publication:
Organizations that continue to rely on document-based system plans will find these templates especially useful as a starting point for organization-defined formats.
This publication also retires legacy system classification terminology (e.g., general support system, major application) in favor of terms that align with current requirements and modern technology ecosystems.
See the publication details for a copy of SP 800-18r2 and supplemental materials. The NIST Risk Management Framework project site has additional information about the RMF and RMF publications.
Please send questions or comments about this and other RMF publications to sec-cert [at] nist.gov (sec-cert[at]nist[dot]gov)