U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

NIST Releases Draft of NIST SP 800-161, Revision 1 for comment , Cyber Supply Chain Risk Management Practices for Systems and Organizations.
May 10, 2021

(6/7) The due date for submitting comments has been extended to June 25, 2021 (it was originally June 14, 2021).


More than ever, organizations are concerned about the risks associated with products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain. These risks can decrease an enterprise’s visibility into and understanding of how the technology that they acquire is developed, integrated, and deployed. They can also affect and be affected by the processes, procedures, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of products and services.

That is why NIST is inviting comments on a major revision to Cyber Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161). The updates are designed to better help organizations identify, assess, and respond to cyber supply chain risks while still aligning with other fundamental NIST cybersecurity risk management guidance.

The revision to this foundational NIST publication represents a 1-year effort to incorporate next generation cyber supply chain risk management (C-SCRM) controls, strategies, policies, plans, and risk assessments into broader enterprise risk management activities by applying a multi-level approach. The changes focus on making implementation guidance more modular and consumable for acquirers, suppliers, developers, system integrators, external system service providers, and other information and communications technology (ICT)/operational technology (OT)-related service providers. Additionally, the references have been updated and expanded.

Based on comments received by June 14 June 25, 2021, NIST anticipates releasing a second draft in September 2021 and a final version by April 2022. NIST is especially interested in feedback on whether the document provides guidance and a structure that any organization can use, regardless of size or mission, and that is still sufficiently descriptive to be clear and actionable.

NIST will hold a virtual workshop on May 12, 2021, from 11 am-12:40 pm EDT to further engage stakeholders by answering questions and gathering comments to ensure that the revised guidance will deliver comprehensive and relevant cyber supply chain risk management practices and guidance. Participants are strongly encouraged to read the document prior to participating in the workshop.

For details and registration information, visit https://www.nist.gov/news-events/events/2021/05/sp-800-161-revision-1-stakeholder-engagement.

The draft revision and more information are available at https://csrc.nist.rip/publications/detail/sp/800-161/rev-1/draft

Information about NIST’s Cyber Supply Chain Risk Management Program is available at https://csrc.nist.rip/projects/cyber-supply-chain-risk-management.

Created May 11, 2021, Updated June 07, 2021