U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

White Paper (Draft)

[Project Description] Validating the Integrity of Servers and Client Devices: Supply Chain Assurance

Date Published: November 2019
Comments Due: January 6, 2020 (public comment period is CLOSED)
Email Questions to: supplychain-nccoe@nist.gov


Tyler Diamond (NIST), Nakia Grayson (NIST), Celia Paulsen (NIST), W. Polk (NIST), Andrew Regenscheid (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE)


The National Cybersecurity Center of Excellence (NCCoE) at NIST is seeking comments on a draft project description that will focus on helping organizations decrease the risk of compromise to their information and operational technology product and service supply chain. 

The goal of this project is to document an approach to verify the supply chain integrity of computing devices at product acceptance by leveraging hardware roots of trust that are commonly included in commercial off-the-shelf personal computing devices. It will consider the computing device lifecycle starting with the manufacturing process through the delivery, acceptance, provisioning, use and disposition of the device.

The project will result in a freely available NIST Cybersecurity Practice Guide (SP 1800 series)—a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.



anti-counterfeiting; anti-tampering cyber supply chain risk management; asset management system; computing device; hardware assurance; hardware roots of trust; integrity; server security
Control Families

None selected


Project Description

Supplemental Material:
Submit Comments (other)
Project homepage (other)

Document History:
11/22/19: White Paper (Draft)
03/26/20: White Paper (Final)


Security and Privacy
cybersecurity supply chain risk management; roots of trust

hardware; servers