1 year ago

NIST 800-161 — also identified as https://www.upguard.com/blog/third-party-risk-requirements-nist-800-161 — was published in April 2015 as Supply Chain Risk Management Practices for Federal Information Systems and Organizations. In May 2022, a year after https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/, NIST produced a revised version, NIST 800-161 rev. 1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.

NIST generally considers Supply Chain Risk Management (SCRM) and Cyber Supply Chain Risk Management (C-SCRM) - which overlaps with traditional information security - the same concept.

NIST 800-161’s focus on supply chain controls helps organizations mature their cybersecurity practices and benefits them in several key areas: Effective Risk Management Assessing Software Vendors Evaluation of Open-Source Software

Foundational practices suggested by NIST 800-161 include the following: Raising awareness of the vital importance of C-SCRM Allocating sufficient resources for information security and C-SCRM Establishing a C-SCRM team Integrating C-SCRM into organizational policies Integrating C-SCRM into acquisition/procurement policies Implementing a risk management process, including company-wide risk assessment Identifying and measuring the criticality of products, services, and suppliers Prioritizing supplier risk Establishing collaborative roles and processes for the supply chain and cybersecurity Establishing quality control and internal check procedures Implementing an incident management program that can identify security incidents that originate in the digital supply chain