NIST.SP.800-161
NIST.SP.800-161
NIST.SP.800-161
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Special Publication 800-<strong>161</strong><br />
Supply Chain Risk Management Practices for Federal<br />
Information Systems and Organizations<br />
________________________________________________________________________________________________________<br />
can present opportunities for ICT supply chain compromises. 3 For example, an adversary may have the<br />
power to insert malicious capability into a product or to coerce a manufacturer to hand over the<br />
manufacturing specifications of a sensitive U.S. system. Note that it is impossible to completely eliminate<br />
all risks.<br />
Currently, organizations, and many private sector integrators and suppliers use varied and not yet<br />
standardized practices, which make it difficult to consistently measure and manage ICT supply chain risks<br />
across different organizations. ICT Supply Chain Risk Management (SCRM) is the process of identifying,<br />
assessing, and mitigating the risks associated with the global and distributed nature of ICT product and<br />
service supply chains.<br />
1.1 PURPOSE<br />
The purpose of this publication is to provide guidance to federal agencies on identifying, assessing,<br />
selecting, and implementing risk management processes and mitigating controls throughout their<br />
organizations to help manage ICT supply chain risks.<br />
The processes and controls identified in this document can be modified or augmented with organizationspecific<br />
requirements from policies, guidelines, and other documents. This publication empowers<br />
organizations to develop ICT SCRM mitigation strategies that are tailored to their particular<br />
mission/business needs, threats, and operational environments. The publication does not provide contract<br />
language or a complete list of ICT SCRM methods and techniques that mitigate specific supply chain<br />
threats.<br />
1.2 SCOPE<br />
This publication provides guidance to federal agencies on managing ICT supply chain risks to their<br />
information systems and organizations. The processes and controls described in this publication build on<br />
federal agency guidance and are for federal agencies to consider and implement. While entities outside of<br />
the federal government may decide to consult this publication as a source of good practices, the<br />
publication does not contain any specific guidance for those entities.<br />
The guidance and controls in this publication are recommended for use with high-impact systems<br />
according to Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization<br />
of Federal Information and Information Systems [FIPS 199]. However, because of interdependencies and<br />
individual needs, agencies may choose to apply the guidance to systems at a lower-impact level or to<br />
specific system components.<br />
Agencies should carefully consider the potential costs of applying ICT SCRM controls beyond highimpact<br />
information systems and weigh the costs against the risks to the organization of not applying ICT<br />
3<br />
This document defines an ICT Supply Chain Compromise as:<br />
An occurrence within the ICT supply chain whereby an adversary jeopardizes the confidentiality, integrity, or<br />
availability of a system or the information the system processes, stores, or transmits. An ICT supply chain compromise<br />
can occur anywhere within the system development life cycle of the product or service.<br />
CHAPTER 1 PAGE 2