Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Boyens, Jon; Paulsen, Celia; Moorthy, Rama; Bartol, Nadya

doi:https://doi.org/10.6028/NIST.SP.800-161

SP 800-161

Withdrawn on May 05, 2022.

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Documentation Topics

Date Published: April 2015

Author(s)

Jon Boyens (NIST), Celia Paulsen (NIST), Rama Moorthy (Hatha Systems), Nadya Bartol (Utilities Telecom Council)

Abstract

Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.

Keywords

information and communication technology supply chain risk management; ICT SCRM; risk management; supplier; supply chain; supply chain risk; supply chain risk management; supply chain assurance; acquire; supply chain security

Control Families

Access Control; Audit and Accountability; Awareness and Training; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Program Management; Risk Assessment; System and Communications Protection; System and Information Integrity; System and Services Acquisition

Documentation

Publication:
SP 800-161 (DOI)
Local Download

Supplemental Material:
None available

Document History:
04/08/15: SP 800-161

Topics

Security and Privacy
acquisition; cybersecurity supply chain risk management; incident response; maintenance; planning; risk assessment

Laws and Regulations
OMB Circular A-130