Official websites do not use .rip
A .gov website belongs to an official government organization in the United States.

We are building a provable archive!
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-18 Rev. 2

Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

Date Published: June 2026

Supersedes: SP 800-18 Rev. 1 (02/24/2006)

Author(s)

Jeremy Licata (NIST), Rebecca McWhite (NIST), Laura Calloway (NIST), Dylan Gilbert (NIST), Meghan Anderson (NIST), Julie Snyder (MITRE), Jeremy Miller (MITRE)

Abstract

Keywords

authorization boundary; authorizing official; common control authorization; control implementation details; cybersecurity supply chain risk management plan; privacy plan; privacy risk management; risk management framework; security plan; security risk management; authorization to operate; authorization to use; authorizing official designated representative; CASES Act; control implementation; controls; FASCSA; FISMA; ongoing authorization; Privacy Act; privacy plan; supply chain; supply chain risk management; system privacy plan; system security plan; system owner
Control Families

None selected