Since NIST Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, was published in 2015, many things have changed in the laws, regulations, tools, technologies, and best practices encompassing the information and communication technology (ICT) supply chain risk management (SCRM) ecosystem.

NIST has initiated an update of SP 800-161 to incorporate: lessons learned over the past several years; updates to relevant NIST guidance (e.g., NIST SP 800-37 Rev. 2, Draft NIST SP 800-53 Rev. 5, and the Cybersecurity Framework v1.1); and the priorities of the Administration.

NIST seeks the input of SP 800-161 stakeholders to ensure Revision 1 will continue to deliver a single set of cyber supply chain risk management practices to help federal departments and agencies manage the risks associated with the acquisition and use of IT/OT products and services in a way that is functional and usable.

To learn more about what NIST is specifically seeking, see the SP 800-161 Rev. 1 PRE-DRAFT Call for Comments. Please submit your comments no later than February 28, 2020.