Date Published: February 4, 2020
Email Questions to:
NIST Special Publication 800-161, Pre-Draft Call for Comments
Since NIST Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, was published in 2015, many things have changed in the laws, regulations, tools, technologies, and best practices encompassing the information and communication technology (ICT) supply chain risk management (SCRM) ecosystem.
NIST has initiated an update of SP 800-161 to incorporate lessons learned over the past several years, updates to relevant NIST guidance (e.g., NIST SP 800-37 Rev. 2, Draft NIST SP 800-53 Rev. 5, and the Cybersecurity Framework v1.1), and the priorities of the Administration.
NIST seeks the input of SP 800-161 stakeholders to ensure Revision 1 will continue to deliver a single set of cyber supply chain risk management practices to help federal departments and agencies manage the risks associated with the acquisition and use of IT/OT products and services in a way that is functional and usable.
Specifically, NIST requests input on the following:
Additions, changes, or removals of ICT SCRM guidance, tiers, controls or control enhancements along with a rationale for the addition, change or removal of the ICT SCRM guidance, tiers, controls or enhancements.
Comments or suggestions for additional information
NIST seeks input regarding the comprehensiveness of the current publication, including the introductory text in Chapter 1; the integration of ICT SCRM into organization-wide risk management in Chapter 2; ICT SCRM control informative text, controls, control enhancements, and supplemental guidance in Chapter 3; and all supporting appendices.
Are there any ICT SCRM controls needed but not addressed by the control sets? Is additional supplemental guidance needed for any control or control enhancement? Is further informative text needed in Chapters 1-3? Is there any information missing from the supporting appendices or are additional appendices needed, e.g. key practices, risk assessments, or supplier assessments?
Please be specific and include the rationale for any proposed additions.
Comments or suggestions for clarification of information
NIST seeks input regarding the clarity of the current publication including the informative text in Chapters 1-3; ICT SCRM controls, control enhancements, and supplemental guidance in Chapter 3, and all supporting appendices. Is the informative text and guidance in Chapters 1-3 and the supporting appendices presented with sufficient clarity? Is the intent of the Tiers clear? Is the intent of any ICT SCRM control or enhancement unclear or confusing? Does the associated supplemental guidance explain the intent of the control or control enhancement clearly and unambiguously? Are there sufficient examples?
Please be specific and include the rationale for any proposed clarifications.
Comments or suggestions for removal of information
NIST seeks input regarding the need to remove material from the current publication including the informative text in Chapters 1-3; the ICT SCRM controls, control enhancements, and supplemental guidance in Chapter 3, and any supporting appendices. Is there information in Chapters 1-3 or the supporting appendices that is irrelevant or not useful? Are there ICT SCRM controls in Chapter 3 or Appendices A and B that are outdated, unneeded, or unusable? Is there supplemental guidance for ICT SCRM controls or control enhancements that is not helpful or is extraneous? Is information in any of the appendices ineffective or immaterial?
Please be specific and include the rationale for any proposed deletions.