NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

News & Events

{April 2015} -- NIST is pleased to announce the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

{Dec. 2012} -- NIST is pleased to announce a report by the University of Maryland’s Supply Chain Management Center: Proof of Concept for an Enterprise ICT SCRM Assessment Package

more news


General Inquires

Jon Boyens
Project Lead

Celia Paulsen
Technical Lead

C-SCRM References




  • Comprehensive National Cybersecurity Initiative (CNCI) Number 11– “This initiative will enhance Federal Government skills, policies, and processes to provide departments and agencies with a robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.”
  • Defense Microelectronics Activity Trusted IC Supplier Accreditation Program – designated by the Department of Defense as the accrediting authority for trusted design, aggregator/broker, mask and wafer fabrication, packaging and test services across a broad technology range for specialized governmental applications both classified and unclassified.
  • DoD Supply Chain Integration - “responsible for the orchestration, synchronization, and integration of global supply chain integration and its operational execution”
  • Government-Industry Data Exchange Program (GIDEP) – “contains information on equipment, parts, and assemblies which are suspected to be counterfeit.”
  • International Center for Enterprise Preparedness (InterCEP) Supply Chain Working Group – “Currently, the U.S. Department of Homeland Security is engaged in the process to fulfill its charge under the law to initiate the national voluntary certification program. InterCEP seeks to serve as a catalyst for business sector involvement and plans to work with other organizations to promote both awareness of the program and input into its development.”
  • National Strategy for Global Supply Chain Security – Establishes “the United States Government’s policy to strengthen the global supply chain in order to protect the welfare and interests of the American people and secure our Nation’s economic prosperity”

Back to Top


  • National Defense Industrial Association (NDIA) Systems Engineering Division – Seeks “to promote the widespread use of systems engineering (SE) in the Department of Defense (DoD) acquisition process
  • International Council on Systems Engineering (INCOSE) – “champions the art, science, discipline, and practice of systems engineering.”
  • International Electronics Manufacturing Initiative – “iNEMI roadmaps the future technology requirements of the global electronics industry, identifies and prioritizes technology and infrastructure gaps, and helps eliminate those gaps through timely, high-impact deployment projects.”
  • Information Technology Industry Council (ITI) – “ITI navigates the relationships between policymakers, companies, and non-governmental organizations, providing creative solutions that advance the development and use of technology around the world.”
  • International Electronics Manufacturing Initiative (iNEMI) – a not-for-profit, R&D consortium whose mission is to “forecast and accelerate improvements in the electronics manufacturing industry for a sustainable future.”
  • Information Security Forum – “This project will focus on creating a methodology and supporting toolkit to help Members secure their supply chains end-to-end.”
  • Internet Security Alliance – Seeks to provide “practical security measures necessary for the Design, Fabrication, Pre-assembly, Assembly, Distribution, and Maintenance Phases, along with reviewing the legal contractual conditions necessary for implementing the other security measures.”
  • International Standards Organization (ISO) – “the world’s largest developer of voluntary International Standards… covering almost all aspects of technology and business.”
  • IT Sector Coordinating Council – “the principal entity for coordinating with the government on a wide range of critical infrastructure protection activities and issues.”
  • SAFECode – “SAFECode is dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. To this end, SAFECode unites subject matter experts with unparalleled experience in managing complex global processes for software development, integrity controls and supply chain security.”
  • Semiconductor Industry Association (SIA) – “The SIA promotes policies and regulations that fuel innovation, propel business and drive international competition in order to maintain a thriving semiconductor industry in the United States.”
  • Supply Chain Management Association – “the principal source of supply chain training, education and professional development in [Canada].”
  • The Open Group Trusted Technology Forum
  • The Trustworthy Software Initiative (TSI) – a United Kingdom “public good initiative supported and funded through the UK Government’s National Cyber Security Programme (NCSP) with a mission to ‘Make Software Better’.”
  • American National Standards Institute (ANSI) – “The ANSI Federation’s primary goal is to enhance the global competitiveness of U.S. business and the American quality of life by promoting and facilitating voluntary consensus standards and ensuring their integrity.”
  • Common Criteria - “the driving force for the widest available mutual recognition of secure IT products.”
  • GS1 – “The GS1 System is an integrated system of global standards that provides for accurate identification and communication of information regarding products, assets, services and locations.”
  • Independent Distributors of Electronics Association (IDEA) – “a non-profit trade association representing quality and ethically oriented independent distributors of electronic components.”
  • US Resilience Project - examples of the kinds of capabilities and competencies that companies are creating to manage disasters and to identify their priorities for partnering with government.
  • US-Cert “Build Security In” - Build Security In is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.
  • SAE International - a global association of more than 128,000 engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries
  • Utilities Telecom Council (UTC) – “the source and resource for information and communications technology (ICT) solutions, collaboration, and advocacy for utilities and other critical infrastructure industries.”

Back to Top


  • Logistics / Supplier Management
    • ARP9113 – Aerospace Supply Chain Risk Management Guidelines
    • AS9120 – Aerospace Requirements for Stockist Distributors
    • ISO/IEC 27036 – Information Technology – Security Techniques – Information Security for Supplier Relationships (Four Parts)
    • PAS 7000:2014 – Supply Chain Risk Management – Supplier Prequalification

  • Integrity / Quality / Asset Management
    • ANSI/EIA 4899 - Standard for Preparing an Electronic Components Management Plan
    • ARP9134A – Aerospace Supply Chain Risk Management Guideline focusing “on Quality as a key risk assessment factor”
    • IEEE 828-2012 – IEEE Standard for Configuration Management in Systems and Software Engineering
    • ISO 13485:2003 – Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes
    • ISO 9000 – Quality Management
    • ISO/IEC 15408-1:2009 – Information Technology – Security Techniques – Evaluation Criteria for IT Security (3 parts)

    • Open Trusted Technology Provider™ Standard (O-TTPS) - Mitigating Maliciously Tainted and Counterfeit Products - “an open standard containing a set of organizational guidelines, requirements, and recommendations for integrators, providers, and component suppliers to enhance the security of the global supply chain and the integrity of Commercial Off The Shelf (COTS) Information and Communication Technology (ICT).”
    • SAE AS5553 – Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition
    • SAE AS6462A – Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition Verification Criteria

  • Systems Engineering / Software Development
    • ISO/IEC 15026 – Systems and Software Engineering – Systems and Software Assurance (Four Parts)
    • ISO/IEC TR 24772:2013 – Information Technology – Programming Languages – Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and use
    • MITRE Systems Engineering Guide – “Developed by systems engineers for systems engineers… The text is written as if the author is speaking directly to a MITRE technical staff member”
    • NDIA Engineering for System Assurance (2008)
    • NEMA CPSP 1-2015 – “This document identifies a recommended set of supply chain best practices and guidelines that electrical equipment and medical imaging manufacturers can implement during product development to minimize the possibility that bugs, malware, viruses, or other exploits can be used to negatively impact product operation.”
  • IT Risk Management
    • ASTM E1578 –Standard for Laboratory Informatics
    • ISO/IEC 27001 – Information Technology – Security Techniques – Information Security Management Systems – Requirements

Back to Top


(Additional NIST publications can be found at

  • FIPS 199 – Standards for Security Cat
  • NIST IR 6462 – Guidance for COTS Security Protection Profiles
  • NIST IR 7622 – Notional Supply Chain Risk Management Practices for Federal Information Systems
  • NIST IR 8023 – Risk Management for Replication Devices
  • NIST SP 800-161 – Supply Chain Risk Management Practices for Federal Information Systems and Organizations
  • NIST SP 800-18 R1 – Guide for Developing Security Plans for Federal Information Systems
  • egorization of Federal Information and Information Systems

Back to Top


  • Boyson, S., Corsi, T., Rossman, H., Mann, H., Richmond, J. (2012). Proof of Concept for an ICT SCRM Enterprise Assessment Package. University of Maryland RH Smith School of Business. View
  • University of Maryland RH Smith School of Business (2011). The ICT SCRM Community Framework Development Project Final Report.  View
  • University of Maryland RH Smith School of Business (2011). Assessing SCRM Capabilities and Perspoectives of the IT Vendor Community: Toward a Cyber-Supply Chain Code of PracticeView
  • University of Maryland RH Smith School of Business (2015). Leveraging the Cyber Risk Portal as a Teaching & Education Tool”View

Back to Top


  • Filsinger, J., Fast, B., Wolf, D.G., Payne, J.F.X., Anderson, M. (2012). Supply Chain Risk Management Awareness. Armed Forces Communication and Electronics Association Cyber Committee. View
  • Ganeshan, R., Harrison, T.P. (1995). An Introduction to Supply Chain Management. Penn State University. View
  • Giunipero, L., Hooker, R., Joseph-Matthews, S., Yoon, T., & Brudvig, S. (2008). A Decade of SCM Literature: Past, Present and Future Implications. Journal of Supply Chain Management, 44 (4), 66-86 DOI: 10.1111/j.1745-493X.2008.00073.x
  • Harrington, L.H., Boyson, S., Corsi, T. (2011). X-SCM: The New Science of X-treme Supply Chain Management. Routledge, New York, NY.
  • Hintsa, J., Gutierrez, X., Wieser, P., & Hameri, A. (2009). Supply Chain Security Management: an Overview. International Journal of Logistics Systems and Management, 5 (3/4), 344-355 DOI:10.1504/IJLSM.2009.022501
  • SCLRC (2011). Supply Chain Risk Management: A Compilation of Best Practices. Supply Chain Risk Leadership Council
  • Lynch, G.S. (2009). Single Point of Failure: The 10 Essential Laws of Supply Chain Risk Management. John Wiley & Sons, Hoboken, NJ.
  • Vanany, Iwan, Zailani, Suhaiza, & Pujawan, Nyoman (2009). Supply Chain Risk Management: Literature Review and Future Research. International Journal of Information Systems and Supply Chain Management, 2 (1), 16-33 DOI:10.4018/jisscm.2009010102
  • Wikipedia:

Back to Top


  • Bartol, Nadya (2015). Utilities Telecom Council Cyber Supply Chain Risk Management For Utilities – Roadmap for Implementation. Utilities Telecom Council. Washington, DC.  View
  • Bloomberg (2011). Supply Chain Cybersecurity. Bloomberg View Cybersecurity Conference. New York, NY. View
  • Charney, S., Werner, E. (2011). Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust. Microsoft Corporation. View
  • Darrell M. West. (2013). Twelve Ways to Build Trust in the ICT Global Supply Chain. Issues in Technology Innovation. Center for Technology Innovation at Brookings. View
  • Ellison, R., Goodenough, J., Weinstock, C., & Woody, C. (2010). Evaluating and Mitigating Software Supply Chain Security Risks. (CMU/SEI-2010-TN-016). Retrieved February 08, 2013, from the Software Engineering Institute, Carnegie Mellon University website: View
  • Filsinger, J., Fast, B., Wolf, D.G., Anderson, M. (2012). Supply Chain Risk Management Awareness. Armed Forces Communication and Electronics Association Cyber CommitteeView
  • Gorman, C. (2012). Counterfeit Chips on the Rise. Spectrum, IEEE. 49 (6), 16-17. View
  • IATAC. (2010). Risk Management for the Off-the-Shelf (OTS) Information Communications Technology (ICT) Supply Chain [For Official Use Only]. SOAR.
  • Information Security Forum (2012). Securing the Supply Chain: Preventing your suppliers’ vulnerabilities from becoming your ownView
  • Institute for Defense Analyses (2011). Challenges in Cyberspace. IDA Research Notes. View
  • Kimmins, J. (2011) Telecommunications Supply Chain Integrity: Mitigating the supply chain security risks in national public telecommunications infrastructures. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4.View
  • Qiu, X. (2011) Architectural Solution Integration to contain ICT supply chain threats. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4. View
  • Siegfried, M. (2012). Defending Cyberspace: Businesses search for ways to protect their computer networks and supply chains against relentless attacks by cybercriminals. Inside Supply Management. View
  • Simpson, S. (2008). Fundamental Practices for Secure Software Development: A guide to the Most Effective Secure Development Practices in Use Today. SAFECode. View
  • Simpson, S. (2009). The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain. SAFECode. View

Back to Top


  • Information Flow
    • Evelyne V., Kenneth K. B., Ann V., (2009) Supply chain information flow strategies: an empirical taxonomy. International Journal of Operations & Production Management, Vol. 29 Iss: 12, pp.1213 – 1241 DOI: 10.1108/01443570911005974
    • Bi H, Lin D. RFID-Enabled Discovery Of Supply Networks. IEEE Transactions On Engineering Management [serial online]. February 2009;56(1):129-141.
  • Threats / Vulnerabilities
    • Finch, P. (2004). Supply chain risk management. Supply Chain Management: An International Journal, 9 (2), 183-196 DOI:10.1108/13598540410527079
    • FM Global. (2006). The New Supply Chain Challenge: Risk Management in a Global EconomyView
    • Glickman, T.S., & White, S.C. (2006). Security, visibility and resilience: the keys to mitigating supply chain vulnerabilities. International Journal of Logistics Systems and Management, 2 (2), 107-119 : 10.1504/IJLSM.2006.009554
    • Helen Peck, (2005) Drivers of supply chain vulnerability: an integrated framework. International Journal of Physical Distribution & Logistics Management, Vol. 35 Iss: 4, pp.210 – 232. DOI: 10.1108/09600030510599904
    • Hendricks, K. & Singhal, V. (2003). The Effect of Supply Chain Glitches on Shareholder Wealth. Journal of Operations Management, 21 (5), 501-522 DOI: 10.1016/j.jom.2003.02.003
    • Internet Security Threat Report. (2013). Symantec Corporation. Annual Report. View
    • McAfee Threats Report: First Quarter 2013. (2013). McAfee Labs. Quarterly Report. View View parent website
    • Microsoft Security Intelligence Report (SIR). (n.d.). Microsoft Corporation. Bi-annual Report. View
    • Monroe, R. W., Teets, J.M., Martin, P. R., (2012). A Taxonomy for Categorizing Supply Chain Events: Strategies for Addressing Supply Chain Disruptions. Southeast Decision Sciences Institute. View
    • M-Trends Reports. (n.d.). Mandiant. Annual Report. View
    • Norton Cybercrime Report 2012 (n.d.). Norton by Symantec. View
    • Palo Alto Networks Annual Report (n.d.). The Modern Malware Review.. View
    • Pecht, M., Tiku, S. (2006). Bogus: Electronic Manufacturing and Consumers Confront a Rising Tide of Counterfeit Electronics. Spectrum, IEEE. 43 (5), 37-46.
    • Risk and Compliance Journal. (2015). Supply Chain Risk Assessment: Mining for Potential Threats. The Wall Street Journal. Deloitte. View
    • Wagner, S., Bode, C., & Koziol, P. (2009). Supplier Default Dependencies: Empirical Evidence From the Automotive Industry European Journal of Operational Research, 199 (1), 150-161 DOI:10.1016/j.ejor.2008.11.012
  • Risk Management
    • Aberdeen Group. (2008). Supply Chain Risk Management: Building a Resilient Global Supply Chain. Aberdeen Group. View
    • Adaptive Systems: Control Versus Emergence. Journal of Operations Management, 19 (3), 351-366 DOI: 10.1016/S0272-6963(00)00068-1
    • Basu, et al. (2008) Supply Chain Risk Management: A Delicate Balancing Act. IBM Global Business Services White Paper. View
    • Boyson, S., Corsi, T., Rossman, H. (2009). Building a Cyber Supply Chain Assurance Reference Model. SAIC & R. H. Smith School of Business.
    • Chopra, S., & Sodhi, M.S. (2004). Managing Risk to Avoid Supply-Chain Breakdown. MIT Sloan Management Review, 46 (1), 53-61Resiliency. DOI: 10.1108/09600030410545427
    • Christopher, M. (2005). Managing risk in the supply chain. Logistics and Supply Chain Management (3rd ed., pp. 231-258). Harlow: Prentice Hall.
    • Deloitte. (2013). The Ripple Effect: How Manufacturing and Retail Executives View the Growing Challenge of Supply Chain RiskView
    • Khan, O., Zsidisin, G.A. (2011). Handbook for Supply Chain Risk Management: Case Studies, Effective Practices and Emerging Trends
    • Kiser, J., & Cantrell, G. (2006). Six Steps to Managing Risk. Supply Chain Management Review, 10(3), 12-17.
    • Pfohl, H., Köhler, H., & Thomas, D. (2010). State of the Art in Supply Chain Risk Management Research: Empirical and Conceptual Findings and a Roadmap for the Implementation in Practice. Logistics Research, 2 (1), 33-44 DOI: 10.1007/s12159-010-0023-8
    • Sodhi, M., Son, B., & Tang, C. (2011). Researchers’ Perspectives on Supply Chain Risk Management Production and Operations Management, 21(1), 1-13 DOI: 10.1111/J.1937-5956.2011.01251.X
    • Stecke, K., & Kumar, S. (2009). Sources of Supply Chain Disruptions, Factors That Breed Vulnerability, and Mitigating Strategies. Journal of Marketing Channels, 16 (3), 193-226 DOI:10.1080/10466690902932551
    • Tan, K. C. (2002), Supply Chain Management: Practices, Concerns, and Performance Issues. Journal of Supply Chain Management, 38: 42–53. DOI: 10.1111/j.1745-493X.2002.tb00119.x
    • University of Tennessee (2014). Managing Risk in the Global Supply Chain. View
    • World Economic Forum. (2012). Building Resilience in Supply ChainsView
    • Zacharia, Z., Sanders, N., & Nix, N. (2011). The Emerging Role of the Third-Party Logistics Provider (3PL) as an Orchestrator. Journal of Business Logistics, 32 (1), 40-54 DOI: 10.1111/j.2158-1592.2011.01004.x
  • Resiliency / Continuity of Supply
    • Christopher, M., & Peck, H. (2004). Building the Resilient Supply Chain. The International Journal of Logistics Management, 15 (2), 1-14 DOI: 10.1108/09574090410700275
    • Cox, A., Prager, F., & Rose, A. (2011). Transportation Security and the Role of Resilience: A Foundation for Operational Metrics. Transport Policy, 18 (2), 307-317 DOI:10.1016/j.tranpol.2010.09.004
    • Creating Resilient Supply Chains: A Practical Guide. Centre for Logistics and Supply Chain Management at the Cranfield School of Management View
    • Pettit, T J, Fiksel, J, & Croxton, K L (2010). Ensuring Supply Chain Resilience: Development of a Conceptual Framework. Journal of Business Logistics, 31 (1), 1-21 ProQuest document ID: 2020607081
    • World Economic Forum. (2013). Building Resilience in Supply ChainsView
  • Product Integrity / Quality
    • (ISC)2 Government Advisory Board Executive Writers Bureau, Special to GCN. (2009). The Recipe for ‘Baking in’ Security in Software Systems. GCN. View
    • Cadzow, S., Giannopoulos, G., Merle, A., Storch, T., Vishik, C., Gorniak, S., Ikonomou, D. (2012). Supply Chain Integrity – An Overview of the ICT Supply Chain Risks and Challenges, and Vision for the Way Forward. European Network and Information Security Agency. View
    • CapGemini (2011). World Quality ReportView
    • Evans, J.W., Evans, J.Y., Ryu, D. (2001). Product Integrity and Reliability in Design. Springer. Great Britain.
    • Granstrand, O., Bohlin, E., Oskarsson, C. and Sjöberg, N. (1992), External Technology Acquisition in Large Multi-Technology Corporations. R&D Management, 22: 111–134. DOI:10.1111/j.1467-9310.1992.tb00801.x
    • Lee, H. L., & Whang, S. (2005). Higher Supply Chain Security with Lower Cost: Lessons from Total Quality Management. International Journal of production economics, 96(3), 289–300. View
    • Myers, G., Sandler, C., Iadgett, T. (2012). The Art of Software Testing. John Wiley & Sons, Inc., Hoboken, NJ, USA.
    • Patton, R. (2001). Software Testing (2nd Edition). Sams, Indianapolis, IN, USA.
    • Starch, T. (2011). Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity. Microsoft Corporation. View

Back to Top