Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

New EO Guidance for Cybersecurity Supply Chain Risk Management
May 05, 2022

NIST has released a revision of Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1). This document updates guidance on identifying, assessing, and responding to cybersecurity risks throughout the supply chain at all levels of an organization. Among other things, it helps to fulfill NIST’s responsibilities under the 2021 Executive Order (EO) on Improving the Nation’s Cybersecurity which address increasing software security risks throughout the supply chain. That part of the revised publication, Appendix F, covers sections 4(c) and (d) of the EO and is available only on NIST’s EO website HERE.

The publication offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It also encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its individual components — which may have been developed elsewhere — and the journey those components took to reach their destination. The development of this document follows two earlier draft revisions.

The publication is available HERE and today’s NIST news release is available HERE. Questions about the publication can be submitted via



Related Topics

Security and Privacy: acquisition, cybersecurity supply chain risk management

Laws and Regulations: Executive Order 14028

Created May 04, 2022, Updated May 05, 2022