Cybersecurity Supply Chain Risk Management C-SCRM

Key NIST Resources and Activities

Focusing on federal agencies but also engaging with and providing resources useful to government at other levels as well as the private sector, NIST:

• Guidance on Software Supply Chain Security, under Executive Order 14028 Sections 4(c) and (d), focuses on the critical sub-discipline of Cybersecurity Supply Chain Risk Management (C-SCRM) from the lens of federal acquirers. It covers both existing and evolving standards, tools, and recommended practices.  The guidance is co-located with related EO guidance under NIST’s purview and will be maintained online to more easily update guidance on emerging concepts. 
• Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1) (2022). Guides organizations in identifying, assessing, and responding to supply chain risks at all levels of their organizations.
• Federal Acquisition Security Council, or FASC, created by statute in 2018 and helps to develop policies and processes for agencies to use when purchasing technology products and services
• Integrated C-SCRM considerations incorporated into other NIST guidance, including the Cybersecurity Framework, Risk Management Framework, and Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5)
• Criticality Analysis Process Model: Helping Organizations (NISTIR 8179), aimed at identifying systems and components that are most vital and may need additional security or other protections.
• Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (NISTIR 8276 - Draft), summarizing practices deemed by subject matter experts to be foundational to an effective cyber supply chain risk management program
• The Federal C-SCRM Forum, hosted by NIST and fostering collaboration and exchange of information among federal organizations to improve the security of their supply chains.  It includes those responsible for C-SCRM in the federal ecosystem, among them the Office of Management and Budget (OMB), Department of Defense (DOD), Department of Homeland Security (DHS), General Services Administration (GSA), and NIST.
• The Software and Supply Chain Assurance (SSCA) Forum, sponsored by NIST co-led with the Department of Defense (DOD), Department of Homeland Security (DHS), and the General Services Administration (GSA).
• National Cybersecurity Center of Excellence (NCCoE) demonstration project with the private sector identifying methods to verify that organizations’ purchased computing devices’ internal components are genuine and have not been altered during the manufacturing and distribution process or after sale from a retailer until the device is retired from service.