800-53
Status:
Work-in-Progress Draft
Informative Reference Version:
1.0.0
Focal Document Version:
800-53 Rev. 4
Summary:
This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. The publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM specific approach, including guidance on assessing supply chain risk and applying mitigation activities.
Target Audience:
ICT SCRM is an organization-wide activity that should be directed under the overall agency governance, regardless of the specific organizational structure. At the organization level, ICT SCRM activities should be led by the risk executive function, described in [NIST SP 800-39], and implemented throughout the organization by a variety of individuals in different roles. The audience for this publication is federal agency personnel involved in engineering/developing, testing, deploying, acquiring, maintaining, and retiring ICT components and systems. These functions may include, but are not limited to, information technology, information security, contracting, risk executive, program management, legal, supply chain and logistics, acquisition and procurement, other related functions, and system owner. Other personnel or entities are free to make use of the guidance as appropriate to their situation.
Comprehensive:
Yes
Comments:
Please note, the following controls/control enhancements/control families have not been included in this work-in-progress draft, as they are not part of the SP 800-53 Rev. 4 Focal Document template: • MA-7 - Maintenance Monitoring and Information Sharing • PV-1 - Provenance Policy and Procedures • PV-2 - Tracking Provenance and Developing a Baseline • PV-2(1) - Tracking Provenance and Developing a Baseline | Automated and Repeatable Processes • PV-3 - Auditing Roles Responsible for Provenance • SA-18(3) - Tamper Resistance and Detection | Return Policy
Point of Contact:
olir@nist.gov
Category of Submitter:
Public Sector
Dependencies/Requirements:
N/A
Citations:
70a8b679078718a6c89862f0ddc987b97d332f4287b40b1a589cc08e81663967
Reference Document Author:
Reference Document:
SP 800-161
Reference Document Date:
04/01/2015
Reference Document URL:
https://csrc.nist.rip/external/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf
Reference Developer:
National Institute of Standards and Technology
Posted Date:
August 17, 2021