Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8276

Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

Date Published: February 2021


Jon Boyens (NIST), Celia Paulsen (NIST), Nadya Bartol (Boston Consulting Group), Kris Winkler (Boston Consulting Group), James Gimbi (Boston Consulting Group)



best practices; cyber supply chain risk management; C-SCRM; external dependency management; information and communication technology supply chain risk management; ICT SCRM; key practices; risk management; supplier; supply chain; supply chain assurance; supply chain risk; supply chain risk assessment; supply chain risk management; supply chain security; third-party risk management
Control Families

None selected


Download URL

Supplemental Material:
Cyber SCRM Key Practices and Case Studies

Document History:
02/04/20: IR 8276 (Draft)
02/11/21: IR 8276 (Final)


Security and Privacy

cybersecurity supply chain risk management


cybersecurity framework