C-SCRM Publications

• NIST is pleased to announce the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations. Click here to go to the full announcement of this document final release. To view the final SP 800-161 in PDF, click here.
• NIST announces that the Second Public Draft of Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, has been released for public comment. (June 3, 2014)
  This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and guidance.
   
  NIST requests comments on Draft NIST SP 800-161 by July 18, 2014. (NOTE: Comment period is closed) Please submit comments to scrm-nist@nist.gov using this public comment template (MS Word – see link below) with "Comments NIST SP 800-161" in the subject line.
  


• NIST announces that Draft Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, has been released for public comment
  October 21, 2013 (updated from August 2013 original note)
   
  This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and guidance.
   
  Due to the recent government shutdown, NIST is extending the comment period for NIST SP 800-161 by 14 days.  Comments are now due by November 1, 2013. Please submit comments to scrm-nist@nist.gov with "Comments NIST SP 800-161" in the subject line.
  (NOTE: This Draft has been updated to Second Draft SP 800-161 -- see note above on June 3, 2014).
   
• Summary of the Workshop on Information and Communication Technologies Supply Chain Risk Management held October 15-16 at the National Institute of Standards and Technology.
   
• University of Maryland’s December 2012 report on a concept for an ICT Supply Chain Risk Management Portal: A Proof of Concept for an Enterprise ICT SCRM Assessment Package
  
  This report stems from a NIST grant to develop an Enterprise ICT SCRM Assessment Package as a proof of concept. This Package is delivered through an ICT SCRM Portal, featuring four major functions: an Initiatives Section; a Library Section; a Forum Section; and, an Enterprise Assessment Section composed of:
  
  
  • A Strategic Readiness Tool that profiles an enterprise’s risk management posture and organizational development status;
  
  
  • A NIST Principles/Practices Tool that asks a portfolio of operational questions;
  
  
  • A Cyber Chain Mapping Tool that provides a rapid method to build a working global map of cyber supply chain assets, transactions and vulnerabilities; and,
  
  
  • A Results Area that enables enterprises to view their ICT SCRM baseline status against three benchmarks: a group of peer enterprises; the Community Framework Model; and an ICT SCRM Capability/Maturity Level.


• NIST Interagency Report (NIST IR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems. (Oct. 2012) Click here to view NISTIR 7622.
  
  This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain risk. It seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an understanding of, and visibility throughout, the supply chain.
  
  
• University of Maryland’s December 2011 study on ICT supply chain initiative: The ICT SCRM Community Framework Development Project.
  
  This report, which stems from a NIST grant, inventories the proliferating array of existing public and private sector ICT supply chain initiatives across diverse ICT segment and formulates a framework for defining various initiative within a single SCRM architectures. This framework has three tiers: enterprise risk governance, system integration and operations. Within each tier, the report defines a core set of attributes or distinct organizational capabilities to facilitate the identification and assessment of gaps in coverage in the ICT SCRM community.


• University of Maryland’s April 2011 study on ICT SCRM governance strategies and practices: Assessing Supply Chain Capabilities and Perspectives of the IT Vendor Community.
  
  This report stems from a NIST grant to profile the ICT SCRM governance strategies and practices of over 200 key Federal government vendors. The report contains a UMD developed SCRM tool to enable the strategic self-assessment of SCRM practices and highlights the extent and limitations of SCRM interventions at the unit, enterprise and supply chain levels in small, medium and large companies. The report concludes that “The cyber supply chain discipline is currently in an early emerging state characterized by: a deficient evidence-based body of knowledge; a proliferation and fragmentation of industry best practices and standards groups, generally led by only the largest firms; and a profound under-usage of supply chain-wide risk governance mechanisms inside IT vendors” (p.45).