Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Boyens, Jon; Paulsen, Celia; Moorthy, Rama; Bartol, Nadya

doi:https://doi.org/10.6028/NIST.SP.800-161

SP 800-161

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Date Published: April 2015

Planning Note (2/4/2020): NIST has posted a Pre-Draft Call for Comments to solicit feedback as it initiates development of SP 800-161 Revision 1. Comments are due by February 28, 2020.

Author(s)

Jon Boyens (NIST), Celia Paulsen (NIST), Rama Moorthy (Hatha Systems), Nadya Bartol (Utilities Telecom Council)

Abstract

Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.

Keywords

acquire; information and communication technology supply chain risk management; ICT SCRM; risk management; supplier; supply chain; supply chain risk; supply chain risk management; supply chain assurance; supply chain security

Control Families

Access Control; Audit and Accountability; Awareness and Training; Security Assessment and Authorization; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Program Management; Risk Assessment; System and Communications Protection; System and Information Integrity; System and Services Acquisition

Documentation

Publication:
SP 800-161 (DOI)
Local Download

Supplemental Material:
None available

Related NIST Publications:
SP 800-161 Rev. 1 (Draft)

Document History:
04/08/15: SP 800-161 (Final)

Topics

Security and Privacy
acquisition; cyber supply chain risk management; incident response; maintenance; planning; risk assessment

Laws and Regulations
OMB Circular A-130

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 800-161

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Author(s)

Abstract

Keywords

Control Families

Documentation

Topics

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

Computer Security Resource Center

Computer Security Resource Center

Computer SecurityResource Center

SP 800-161

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Author(s)

Abstract

Keywords

Control Families

Documentation

Topics

Computer Security
Resource Center