Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

NISTIR 8276 (Draft)

Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

Date Published: February 2020
Comments Due: March 4, 2020 (public comment period is CLOSED)
Email Questions to:


Jon Boyens (NIST), Celia Paulsen (NIST), Nadya Bartol (Boston Consulting Group), Kris Winkler (Boston Consulting Group), James Gimbi (Boston Consulting Group)



best practices; cyber supply chain risk management; C-SCRM; external dependency management; information and communication technology supply chain risk management; ICT SCRM; key practices; risk management; supplier; supply chain; supply chain assurance; supply chain risk; supply chain risk assessment; supply chain risk management; supply chain security; third-party risk management
Control Families

None selected


NISTIR 8276 (Draft) (DOI)
Local Download

Supplemental Material:
Cyber SCRM Key Practices and Case Studies (other)
NIST news article (other)

Document History:
02/04/20: NISTIR 8276 (Draft)


Security and Privacy
cyber supply chain risk management

cybersecurity framework