Cybersecurity Supply Chain Risk Management C-SCRM
Key NIST Resources and Activities
Focusing on federal agencies but also engaging with and providing resources useful to government at other levels as well as the private sector, NIST:
- Guidance on Software Supply Chain Security, under Executive Order 14028 Sections 4(c) and (d), focuses on the critical sub-discipline of Cybersecurity Supply Chain Risk Management (C-SCRM) from the lens of federal acquirers. It covers both existing and evolving standards, tools, and recommended practices. The guidance is co-located with related EO guidance under NIST’s purview and will be maintained online to more easily update guidance on emerging concepts.
- Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1) (2022). Guides organizations in identifying, assessing, and responding to supply chain risks at all levels of their organizations.
- Federal Acquisition Security Council, or FASC, created by statute in 2018 and helps to develop policies and processes for agencies to use when purchasing technology products and services
- Integrated C-SCRM considerations incorporated into other NIST guidance, including the Cybersecurity Framework, Risk Management Framework, and Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5)
- Criticality Analysis Process Model: Helping Organizations (NISTIR 8179), aimed at identifying systems and components that are most vital and may need additional security or other protections.
- Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (NISTIR 8276 - Draft), summarizing practices deemed by subject matter experts to be foundational to an effective cyber supply chain risk management program
- The Federal C-SCRM Forum, hosted by NIST and fostering collaboration and exchange of information among federal organizations to improve the security of their supply chains. It includes those responsible for C-SCRM in the federal ecosystem, among them the Office of Management and Budget (OMB), Department of Defense (DOD), Department of Homeland Security (DHS), General Services Administration (GSA), and NIST.
- The Software and Supply Chain Assurance (SSCA) Forum, sponsored by NIST co-led with the Department of Defense (DOD), Department of Homeland Security (DHS), and the General Services Administration (GSA).
- National Cybersecurity Center of Excellence (NCCoE) demonstration project with the private sector identifying methods to verify that organizations’ purchased computing devices’ internal components are genuine and have not been altered during the manufacturing and distribution process or after sale from a retailer until the device is retired from service.
Security and Privacy:
controls assessment, cybersecurity supply chain risk management, information sharing, malware, risk assessment, security controls, security measurement, security programs & operations, systems security engineering, vulnerability management
cloud & virtualization, hardware, software & firmware
communications & wireless, cybersecurity framework
Laws and Regulations:
Comprehensive National Cybersecurity Initiative, Cybersecurity Enhancement Act, Cybersecurity Strategy and Implementation Plan, Cyberspace Policy Review, Executive Order 13636, Federal Acquisition Regulation, Federal Information Security Modernization Act, Homeland Security Presidential Directive 12, OMB Circular A-130
Created May 24, 2016, Updated September 25, 2023