Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Key Practices in Cyber Supply Chain Risk Management: Observations from Industry



Jon M. Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler, James Gimbi


In today's highly connected, inter-dependent world, all organizations rely on others for critical products and services. However, the reality of globalization, while providing many benefits, has resulted in a world where organizations no longer fully control -- and often do not have full visibility into -- the supply ecosystems of the products that they make or the services that they deliver. With more and more businesses becoming digital, producing digital products and services, and moving their workloads to the cloud, the impact of a cybersecurity event today is greater than ever before and could include personal data loss, significant financial losses, compromise of product integrity or safety, and even loss of life. Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful; threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link. That is why identifying, assessing, and mitigating cyber supply chain risks is a critical capability to ensure business resilience. The multidisciplinary approach to managing these types of risks is called Cyber Supply Chain Risk Management (C-SCRM). This document provides the ever- increasing community of digital businesses a set of Key Practices that any organization can use to manage cybersecurity risks associated with their supply chains. The Key Practices presented in this document can be used to implement a robust C-SCRM function at an organization of any size, scope, and complexity. These practices combine the information contained in existing C-SCRM government and industry resources with the information gathered during the 2015 and 2019 NIST research initiatives.
NIST Interagency/Internal Report (NISTIR) - 8276
Report Number


best practices, cyber supply chain risk management, C-SCRM, external dependency management, information and communication technology supply chain risk management, ICT SCRM, key practices, risk management, supplier, supply chain, supply chain assurance, supply chain risk, supply chain risk assessment, supply chain risk management, supply chain security, third-party risk management.


Boyens, J. , Paulsen, C. , Bartol, N. , Winkler, K. and Gimbi, J. (2021), Key Practices in Cyber Supply Chain Risk Management: Observations from Industry, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed July 13, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created February 10, 2021, Updated March 1, 2021