NIST.SP.800-161
NIST.SP.800-161
NIST.SP.800-161
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Special Publication 800-<strong>161</strong><br />
Supply Chain Risk Management Practices for Federal<br />
Information Systems and Organizations<br />
________________________________________________________________________________________________________<br />
The ICT supply chain infrastructure does not include:<br />
<br />
<br />
<br />
<br />
<br />
The information system traversing the supply chain;<br />
Any information system not used in the development, testing, maintenance, or retirement of<br />
information system components;<br />
System integrator, supplier, and external service provider information systems that are outside of<br />
the organization’s information system boundaries as defined by [<strong>NIST</strong> SP 800-37 Rev. 1];<br />
System integrator, supplier, and external service provider people, processes, and technology that<br />
are not engaged in supporting the information system sytem development life cycle (SDLC); and<br />
The organization’s people, processes, and technology not engaged in the SDLC for an<br />
information system. For example, organization’s shipping and receiving processes handling non-<br />
ICT are not included in the ICT supply chain infrastructure, such as food services or paper clips.<br />
Supplier and system integrator are included under the definition of “developer” by <strong>NIST</strong> SP 800-53<br />
Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations:<br />
A general term that includes: (i) developers or manufacturers of information systems, system<br />
components, or information system services; (ii) systems integrators; (iii) vendors; and (iv)<br />
product resellers. Development of systems, components, or services can occur internally within<br />
organizations (i.e., in-house development) or through external entities.[<strong>NIST</strong> SP 800-53 Rev. 4, p.<br />
B-6]<br />
<strong>NIST</strong> SP 800-<strong>161</strong> uses <strong>NIST</strong> SP 800-53 Revision 4 developer definition items (i), (iii), and (iv) to define<br />
supplier and item (ii) to define system integrator.<br />
<strong>NIST</strong> SP 800-53 Revision 4 describes external information system service provider as follows:<br />
External services can be provided by: (i) entities within the organization but outside of the security<br />
authorization boundaries established for organizational information systems; (ii) entities outside<br />
of the organization either in the public sector (e.g., federal agencies) or private sector (e.g.,<br />
commercial service providers); or (iii) some combination of the public and private sector options.<br />
External information system services include, for example, the use of service-oriented<br />
architectures (SOAs), cloud-based services (infrastructure, platform, software), or data center<br />
operations. External information system services may be used by, but are typically not part of,<br />
organizational information systems. In some situations, external information system services may<br />
completely replace or heavily augment the routine functionality of internal organizational<br />
information systems. [<strong>NIST</strong> SP 800-53 Rev. 4, p. B-8]<br />
Additionally, <strong>NIST</strong> SP 800-53 Revision 4 describes organizational users as follows:<br />
An organizational employee or an individual the organization deems to have equivalent status of<br />
an employee including, for example, contractor, guest researcher, or individual detailed from<br />
another organization.[<strong>NIST</strong> SP 800-53 Rev. 4, p. B-16]<br />
CHAPTER 1 PAGE 6