Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Supply Chain Risk Management C-SCRM

External References

***Disclaimer: Items in the following lists are provided for research purposes, and do not imply endorsement by NIST.***


U.S. Government Activities / Initiatives

  • Committee on National Security Systems Directive (CNSSD) 505 - "...provides the guidance for organizations that own, operate, or maintain [National Security Systems (NSS)] to address supply chain risk and implement and sustain SCRM capabilities".
  • Comprehensive National Cybersecurity Initiative (CNCI) Number 11– “This initiative will enhance Federal Government skills, policies, and processes to provide departments and agencies with a robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.”
  • Defense Microelectronics Activity Trusted IC Supplier Accreditation Program – designated by the Department of Defense as the accrediting authority for trusted design, aggregator/broker, mask and wafer fabrication, packaging and test services across a broad technology range for specialized governmental applications both classified and unclassified.
  • DoD Supply Chain Integration - “responsible for the orchestration, synchronization, and integration of global supply chain integration and its operational execution”
  • Government-Industry Data Exchange Program (GIDEP) – “contains information on equipment, parts, and assemblies which are suspected to be counterfeit.”
  • International Center for Enterprise Preparedness (InterCEP) Supply Chain Working Group – “Currently, the U.S. Department of Homeland Security is engaged in the process to fulfill its charge under the law to initiate the national voluntary certification program. InterCEP seeks to serve as a catalyst for business sector involvement and plans to work with other organizations to promote both awareness of the program and input into its development.”
  • National Strategy for Global Supply Chain Security – Establishes “the United States Government’s policy to strengthen the global supply chain in order to protect the welfare and interests of the American people and secure our Nation’s economic prosperity”
  • OMB Circular A-130 - "...designed to help drive the transformation of the Federal Government and the way it builds, buys, and delivers technology...".

Back to Top

Related Standards / Best Practices

Back to Top


C-SCRM Research

For NIST / NIST-Sponsored Publications, please see

  • Bartol, Nadya (2015). Utilities Telecom Council Cyber Supply Chain Risk Management For Utilities – Roadmap for Implementation. Utilities Telecom Council. Washington, DC.  View
  • Bloomberg (2011). Supply Chain Cybersecurity. Bloomberg View Cybersecurity Conference. New York, NY. View
  • Charney, S., Werner, E. (2011). Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust. Microsoft Corporation.View
  • Darrell M. West. (2013). Twelve Ways to Build Trust in the ICT Global Supply Chain. Issues in Technology Innovation. Center for Technology Innovation at Brookings. View
  • Ellison, R., Goodenough, J., Weinstock, C., & Woody, C. (2010). Evaluating and Mitigating Software Supply Chain Security Risks. (CMU/SEI-2010-TN-016). Retrieved February 08, 2013, from the Software Engineering Institute, Carnegie Mellon University website: View
  • Filsinger, J., Fast, B., Wolf, D.G., Anderson, M. (2012). Supply Chain Risk Management Awareness. Armed Forces Communication and Electronics Association Cyber CommitteeView
  • Gorman, C. (2012). Counterfeit Chips on the Rise. Spectrum, IEEE. 49 (6), 16-17. View
  • IATAC. (2010). Risk Management for the Off-the-Shelf (OTS) Information Communications Technology (ICT) Supply Chain [For Official Use Only]. SOAR.
  • Information Security Forum (2012). Securing the Supply Chain: Preventing your suppliers’ vulnerabilities from becoming your ownView
  • Institute for Defense Analyses (2011). Challenges in Cyberspace. IDA Research Notes. View
  • Kimmins, J. (2011) Telecommunications Supply Chain Integrity: Mitigating the supply chain security risks in national public telecommunications infrastructures. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4.View
  • Qiu, X. (2011) Architectural Solution Integration to contain ICT supply chain threats. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4. View
  • Siegfried, M. (2012). Defending Cyberspace: Businesses search for ways to protect their computer networks and supply chains against relentless attacks by cybercriminals. Inside Supply Management. View
  • Simpson, S. (2008). Fundamental Practices for Secure Software Development: A guide to the Most Effective Secure Development Practices in Use Today. SAFECode. View
  • Simpson, S. (2009). The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain. SAFECode. View

Back to Top


Involved Standards / Associations

  • National Defense Industrial Association (NDIA) Systems Engineering Division – Seeks “to promote the widespread use of systems engineering (SE) in the Department of Defense (DoD) acquisition process
  • International Council on Systems Engineering (INCOSE) – “champions the art, science, discipline, and practice of systems engineering.”
  • International Electronics Manufacturing Initiative – “iNEMI roadmaps the future technology requirements of the global electronics industry, identifies and prioritizes technology and infrastructure gaps, and helps eliminate those gaps through timely, high-impact deployment projects.”
  • Information Technology Industry Council (ITI) – “ITI navigates the relationships between policymakers, companies, and non-governmental organizations, providing creative solutions that advance the development and use of technology around the world.”
  • International Electronics Manufacturing Initiative (iNEMI) – a not-for-profit, R&D consortium whose mission is to “forecast and accelerate improvements in the electronics manufacturing industry for a sustainable future.”
  • Information Security Forum – “This project will focus on creating a methodology and supporting toolkit to help Members secure their supply chains end-to-end.”
  • Internet Security Alliance – Seeks to provide “practical security measures necessary for the Design, Fabrication, Pre-assembly, Assembly, Distribution, and Maintenance Phases, along with reviewing the legal contractual conditions necessary for implementing the other security measures.”
  • International Standards Organization (ISO) – “the world’s largest developer of voluntary International Standards… covering almost all aspects of technology and business.”
  • IT Sector Coordinating Council – “the principal entity for coordinating with the government on a wide range of critical infrastructure protection activities and issues.”
  • SAFECode – “SAFECode is dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. To this end, SAFECode unites subject matter experts with unparalleled experience in managing complex global processes for software development, integrity controls and supply chain security.”
  • Semiconductor Industry Association (SIA) – “The SIA promotes policies and regulations that fuel innovation, propel business and drive international competition in order to maintain a thriving semiconductor industry in the United States.”
  • Supply Chain Management Association – “the principal source of supply chain training, education and professional development in [Canada].”
  • The Open Group Trusted Technology Forum
  • The Trustworthy Software Initiative (TSI) – a United Kingdom “public good initiative supported and funded through the UK Government’s National Cyber Security Programme (NCSP) with a mission to ‘Make Software Better’.”
  • American National Standards Institute (ANSI) – “The ANSI Federation’s primary goal is to enhance the global competitiveness of U.S. business and the American quality of life by promoting and facilitating voluntary consensus standards and ensuring their integrity.”
  • Common Criteria - “the driving force for the widest available mutual recognition of secure IT products.”
  • GS1 – “The GS1 System is an integrated system of global standards that provides for accurate identification and communication of information regarding products, assets, services and locations.”
  • Independent Distributors of Electronics Association (IDEA) – “a non-profit trade association representing quality and ethically oriented independent distributors of electronic components.”
  • US Resilience Project - examples of the kinds of capabilities and competencies that companies are creating to manage disasters and to identify their priorities for partnering with government.
  • US-Cert “Build Security In” - Build Security In is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.
  • SAE International - a global association of more than 128,000 engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries
  • Utilities Telecom Council (UTC) – “the source and resource for information and communications technology (ICT) solutions, collaboration, and advocacy for utilities and other critical infrastructure industries.”

Back to Top

Last Updated: 10/2016


Supply Chain General Inquiries

Jon Boyens - Project Lead - NIST

Rebecca McWhite - Technical Lead - NIST

Jeff Brewer - NIST

sw.assurance Google Group

Created May 24, 2016, Updated June 20, 2024