NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

News & Events

Best Practices in Cyber Supply Chain Risk Management
October 1-2, 2015
NIST Gaithersburg, MD.

{April 2015} -- NIST is pleased to announce the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

{Dec. 2012} -- NIST is pleased to announce a report by the University of Marylandís Supply Chain Management Center: Proof of Concept for an Enterprise ICT SCRM Assessment Package

more news

Contact

General Inquires
scrm-nist@nist.gov

Jon Boyens
Project Lead
boyens@nist.gov
301-975-5549

Celia Paulsen
Technical Lead
celia.paulsen@nist.gov
301-975-5981

News & Events

  • July 17, 2015
    NIST is pleased to announce the publication of a report by the University of Marylandís Supply Chain Management Center titled ďLeveraging the Cyber Risk Portal as a Teaching & Education ToolĒ. The report, which stems from a NIST grant, details updates and new content developed for the Cyber Risk Portal. These activities build on the series of enterprise IT supply chain risk management tools from a previous NIST grant. The University of Maryland enhanced the usability of the portal by conducting a re-design of the user interface and developing new educational multi-media content, including video interviews of subject matter experts and content-specific tutorials. In addition, the report details results of several additional market testing and opportunity research, including discussions with the insurance industry and critical sectors of the federal community.
     
  • April 9, 2015 -- NIST is pleased to announce the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
     
    Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agenciesí decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.
     
    Special Publication 800-161: (i) provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations; (ii) integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multi-tiered, SCRM-specific approach, including guidance on assessing supply chain risk and applying mitigation activities; and, (iii) builds on existing practices from multiple disciplines and is intended to increase the ability of organizations to strategically manage ICT supply chain risks over the entire life cycle of systems, products, and services.
     
    For information on NISTís ICT SCRM Program, please visit: http://csrc.nist.gov/scrm/


     
  • June 2014 -- NIST announces that Draft Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, has been released for public comment - can be accessed either by the SCRM Publications page OR the CSRC Drafts page.
     
  • October 21, 2013 -- Due to the recent government shutdown, NIST is extending the comment period for NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations. Comments are now due by November 1, 2013.
     
    This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and guidance.
     
    (NOTE: This draft has been updated with the Second Draft -- see news item above (June 2014) to learn more about the second draft of this doucment.)
     
  • July 10, 2013 Ė A Summary of the Workshop on Information and Communication Technologies Supply Chain Risk Management held October 15-16, 2012 is now available online .
     
  • NIST is pleased to announce a report by the University of Marylandís Supply Chain Management Center. The report, which stems from a NIST grant, provides a proof of concept for an information and communication technology supply chain risk management assessment delivered through web site portal. The proof of concept utilizes work from previous NIST grants and features four major functions: an Enterprise Assessment Section; a Library Section; a Forum Section; and, an Initiatives Section.
     
  • October 25, 2012 -- The presentations from the ICT Supply Chain Risk Management workshop (Oct. 15-16, 2012) are now available here.
     
  • NIST is pleased to announce the release of the NIST Interagency Report (NIST IR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems. (Oct. 2012) Click here to view NISTIR 7622.

    This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain risk. It seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an understanding of, and visibility throughout, the supply chain.