Date Published: October 28, 2021
Comments Due:
Email Questions to:
Planning Note (12/01/2021):
The comment period has been extended through December 10, 2021.
The comment template has been updated to remove incorrect cell value validations from the Section and Page columns.
NIST held a webinar on December 1, 2021, to provide an overview of the changes made in this draft.
Author(s)
Jon Boyens (NIST), Angela Smith (NIST), Nadya Bartol (Boston Consulting Group), Kris Winkler (Boston Consulting Group), Alex Holbrook (Boston Consulting Group), Matthew Fallon (Boston Consulting Group)
Announcement
NIST has just released the second public draft of Special Publication (SP) 800-161 Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, for public comment. We listened to your comments from earlier this year about the first version, we’ve made new changes, and we are hoping to get your feedback again on our new draft.
The initial public draft was published in April of 2021 and preceded the release of the President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021. This EO charged multiple agencies—including NIST—with enhancing cybersecurity through a variety of initiatives, but with a specific focus on the security and integrity of the software supply chain.
What is different about this second version?
We worked on making the implementation guidance more consumable by different audiences by revising the structure of the document and adding Audience Profiles. We also added two NEW appendices focused more specifically on Federal departments and agencies:
- APPENDIX E: A Federal Acquisition Supply Chain Security Act of 2018 (FASCSA) appendix, which provides additional guidance tailored to federal executive agencies related to supply chain risk assessment factors, assessment documentation, risk severity levels, and risk response.
- APPENDIX F: A Response to Executive Order 14028’s Call to Publish Preliminary Guidelines or Enhancing Software Supply Chain Security appendix, which seeks to provide a response to the directives outlined within Section 4(c) of the EO by outlining existing industry standards, tools, and recommended practices within the context of SP 800-161 Revision 1, as well as any new standards, tools, and recommended practices stemming from the EO and recent developments in the discipline.
See the "Note to Reviewers" on page iii of the draft for a summary of changes and questions for reviewers to consider.
How are comments submitted?
Comments are due by December 10 December 3, 2021. We encourage you to use this comment template for submitting your comments. As always, we are thankful for your support; your ideas will continue to help shape our final publication to ensure it meets the needs and expectations of our customers. We plan to release a final draft of NIST SP 800-161 Revision 1 during the third quarter of 2022.
NOTE: A call for patent claims is included on page vi of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Organizations are concerned about the risks associated with products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain. These risks are associated with an enterprise’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the security, resilience, reliability, safety, integrity, and quality of the products and services.
This publication provides guidance to organizations on identifying, assessing, and mitigating cyber supply chain risks at all levels of their organizations. The publication integrates cyber supply chain risk management (C-SCRM) into risk management activities by applying a multi-level, C-SCRM-specific approach, including guidance on development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and C-SCRM risk assessments for products and services.
Organizations are concerned about the risks associated with products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain. These risks are associated with an...
See full abstract
Organizations are concerned about the risks associated with products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain. These risks are associated with an enterprise’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the security, resilience, reliability, safety, integrity, and quality of the products and services.
This publication provides guidance to organizations on identifying, assessing, and mitigating cyber supply chain risks at all levels of their organizations. The publication integrates cyber supply chain risk management (C-SCRM) into risk management activities by applying a multi-level, C-SCRM-specific approach, including guidance on development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and C-SCRM risk assessments for products and services.
Hide full abstract
Keywords
C-SCRM; cyber supply chain risk management; acquire; information and communication technology; supply chain; cyber supply chain; supply chain assurance; supply chain risk; supply chain risk assessment; supply chain security; risk management; supplier
Control Families
None selected
