Cybersecurity Supply Chain Risk Management (C-SCRM) involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of Information Communications Technology and Operational Technology (ICT/OT) product and service supply chains throughout the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). Examples of risks include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cybersecurity-related elements of the supply chain.
Since 2008, NIST has conducted research and collaborated with a large number and variety of stakeholders to produce information resources which help organizations with their C-SCRM. By statute, federal agencies must use NIST’s C-SCRM and other cybersecurity standards and guidelines to protect non-national security federal information and communications infrastructure. The SECURE Technology Act and FASC Rule gave NIST specific authority to develop C-SCRM guidelines. NIST is also a member of the Federal Acquisition Security Council (FASC).
Implementing NIST C-SCRM standards and guidance (such as the foundational C-SCRM document Special Publication (SP) 800-161r1) can create a C-SCRM Project Management Office (PMO) or risk function (for smaller organizations without the capacity to maintain an entire C-SCRM PMO and personnel. The NIST C-SCRM program helps organizations to manage the increasing risk of supply chain compromise related to cybersecurity, whether intentional or unintentional.
C-SCRM Resources
C-SCRM Quick-Start Guides
Cybersecurity Supply Chain Risk Management (C-SCRM) Quick-Start Guides give users a starting point for understanding relevant NIST resources on becoming smarter acquirers and suppliers of technology products and services. Quick-Start Guides are supplements to relevant NIST publications outlining C-SCRM guidance and are not meant to replace them.
Learn More
Special Publication (SP) 800-161r1 (Revision 1)
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations is the foundational publication for NIST C-SCRM guidance. The document provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of the organization.
Learn More
Software and Supply Chain Assurance (SSCA) Forum
The SSCA Forum promotes knowledge sharing about software and supply chain risks (and effective practices and mitigation strategies) among government, academia, and industry. The forum is held 2-3 times a year, free, and open to the public. Presentations from the September SSCA Forum are now available.
Learn More
C-SCRM News
Latest C-SCRM Updates:
- Released SP 800-18r2, an Initial Public Draft (ipd) of Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems, for public comment. (6/04/2025)
- Completed errata update of Special Publication (SP) 800-161r1 (Revision 1), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations to clarify NIST guidance on aspects such as vulnerability advisory reports and software bill of materials and fix errors like inaccurate numbering of control enhancements. (11/01/2024)
- Released SP 1326, an Initial Public Draft (ipd) of NIST Cybersecurity Supply Chain Risk Management: Due Diligence Assessment Quick-Start Guide, for public comment. (10/30/2024)
- Released SP 1305, Cybersecurity Framework 2.0: Quick-Start Guide for Cybersecurity Supply Chain Risk Management (C-SCRM). (10/21/2024)
- Updated the Cybersecurity SCRM Fact Sheet to include the most recent versions of key resources, guidance, and activities. (7/19/24)
