Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

Published

Author(s)

Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon

Abstract

Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise's decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of the products and services. This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services. [Supersedes SP 800-161, Revision 1 (May 2022): https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934690]
Citation
Special Publication (NIST SP) - 800-161r1-upd1
Report Number
800-161r1-upd1

Keywords

acquire, C-SCRM, cybersecurity supply chain, cybersecurity supply chain risk management, information and communication technology, risk management, supplier, supply chain, supply chain risk assessment, supply chain assurance, supply chain risk, supply chain security

Citation

Boyens, J. , Smith, A. , Bartol, N. , Winkler, K. , Holbrook, A. and Fallon, M. (2024), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-161r1-upd1 , https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=958681 (Accessed January 17, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created November 1, 2024, Updated January 6, 2025