Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Project Description (Initial Public Draft)

Validating the Integrity of Servers and Client Devices: Supply Chain Assurance

Date Published: November 2019
Comments Due: January 6, 2020 (public comment period is CLOSED)
Email Questions to:


Tyler Diamond (NIST), Nakia Grayson (NIST), Celia Paulsen (NIST), W. Polk (NIST), Andrew Regenscheid (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE)


The National Cybersecurity Center of Excellence (NCCoE) at NIST is seeking comments on a draft project description that will focus on helping organizations decrease the risk of compromise to their information and operational technology product and service supply chain. 

The goal of this project is to document an approach to verify the supply chain integrity of computing devices at product acceptance by leveraging hardware roots of trust that are commonly included in commercial off-the-shelf personal computing devices. It will consider the computing device lifecycle starting with the manufacturing process through the delivery, acceptance, provisioning, use and disposition of the device.

The project will result in a freely available NIST Cybersecurity Practice Guide (SP 1800 series)—a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.



anti-counterfeiting; anti-tampering cyber supply chain risk management; asset management system; computing device; hardware assurance; hardware roots of trust; integrity; server security
Control Families

None selected


Project Description (pdf)

Supplemental Material:
Submit Comments
Project homepage

Document History:
11/22/19: Project Description (Draft)
03/26/20: Project Description (Final)


Security and Privacy

cybersecurity supply chain risk management, roots of trust


hardware, servers