U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

SP 800-161

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Date Published: April 2015

Planning Note (2/4/2020): NIST has posted a Pre-Draft Call for Comments to solicit feedback as it initiates development of SP 800-161 Revision 1. Comments are due by February 28, 2020.


Jon Boyens (NIST), Celia Paulsen (NIST), Rama Moorthy (Hatha Systems), Nadya Bartol (Utilities Telecom Council)



acquire; information and communication technology supply chain risk management; ICT SCRM; risk management; supplier; supply chain; supply chain risk; supply chain risk management; supply chain assurance; supply chain security
Control Families

Access Control; Audit and Accountability; Awareness and Training; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Program Management; Risk Assessment; System and Communications Protection; System and Information Integrity; System and Services Acquisition


SP 800-161 (DOI)
Local Download

Supplemental Material:
None available

Related NIST Publications:
SP 800-161 Rev. 1 (Draft)
SP 800-161 Rev. 1 (Draft)

Document History:
04/08/15: SP 800-161 (Final)