Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    Publications

NIST SP 800-18 Rev. 2 (Initial Public Draft)

Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

Date Published: June 4, 2025
Comments Due: July 30, 2025
Email Comments to: [email protected]

Author(s)

Jeremy Licata (NIST), Rebecca McWhite (NIST), Laura Calloway (NIST), Dylan Gilbert (NIST), Meghan Anderson (NIST), Julie Snyder (MITRE), Jeremy Miller (MITRE)

Announcement

The system security plan, system privacy plan, and cybersecurity supply chain risk management plan–collectively referred to as system plans– consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. System plans serve as a centralized point of reference for information about the system and tracking risk management decisions to include data being created, collected, disseminated, used, stored, and disposed; individuals responsible for system risk management efforts; details about the environment of operation, system components, and data flows internally and externally; and controls in planned and in place to manage risk.

NIST Special Publication 800-18r2 focuses on the development of system plans that address system-level security, privacy, and CSCRM requirements that may derive from enterprise, organization, and mission/business process requirements.

The major changes for this revision include:

  • Expanded guidance to address the development of system plans within the context of the NIST Risk Management Framework, the NIST Privacy Framework, and NIST SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
  • Insights into the development of a consolidated system plan that encompasses security, privacy, and cybersecurity supply chain risk management plan elements.
  • Updated descriptions of system plan elements, with considerations for security, privacy, and cybersecurity supply chain risk management requirements.
  • Considerations for automating the development and maintenance of system plans using information management tools, such as governance, risk, and compliance (GRC) applications.

Supplemental materials include system plan example outlines; updated roles and responsibilities associated with system plan development.

The public comment period is open through July 30, 2025. We encourage you to use this comment template and email it to [email protected].

NOTE: A call for patent claims is included in the front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy  Inclusion of Patents in ITL Publications.

Abstract

Keywords

authorization boundary; authorizing official; common control authorization; control implementation details; cybersecurity supply chain risk management plan; privacy plan; privacy risk management; risk management framework; security plan; security risk management; authorization to operate; authorization to use; authorizing official designated representative; CASES Act; control implementation; controls; FASCSA; FISMA; ongoing authorization; Privacy Act; privacy plan; supply chain; supply chain risk management; system privacy plan; system security plan; system owner
Control Families

None selected