NIST.SP.800-161
NIST.SP.800-161
NIST.SP.800-161
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Special Publication 800-<strong>161</strong><br />
Supply Chain Risk Management Practices for Federal<br />
Information Systems and Organizations<br />
________________________________________________________________________________________________________<br />
1.5 FOUNDATIONAL PRACTICES<br />
ICT supply chain risk management builds on existing standardized practices in multiple disciplines.<br />
Organizations should consider reaching a base level of maturity in foundational practices prior to<br />
specifically focusing on ICT SCRM practices that are more advanced. Those foundational practices are<br />
described in <strong>NIST</strong> standards and guidelines as well as other applicable national and international<br />
standards and best practices. They include: ensuring that organizations understand the cost and scheduling<br />
constraints of implementing ICT SCRM; integrating information security requirements into the<br />
acquisition process; using applicable baseline security controls as one of the sources for security<br />
requirements; ensuring a robust software quality control process; and establishing multiple sources, e.g.,<br />
delivery routes, for critical system elements. A formal program and process, including dedicated<br />
resources, may be used to reach a base level of maturity. [FIPS 199] “high-impact” systems should<br />
already have these foundational practices established.<br />
Having foundational practices in place is critical to successfully and productively interacting with mature<br />
system integrators and suppliers who may have such practices standardized and in place.<br />
The following are specific examples of the multidisciplinary foundational practices that can be<br />
implemented incrementally to improve an organization’s ability to develop and implement more advanced<br />
ICT SCRM practices:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Implement a risk management hierarchy and risk management process (in accordance with <strong>NIST</strong><br />
SP 800-39, Managing Information Security Risk [<strong>NIST</strong> SP 800-39]) including an organizationwide<br />
risk assessment process (in accordance with <strong>NIST</strong> SP 800-30 Revision 1, Guide for<br />
Conducting Risk Assessments [<strong>NIST</strong> SP 800-30 Rev. 1]);<br />
Establish an organization governance structure that integrates ICT SCRM requirements and<br />
incorporates these requirements into the organizational policies;<br />
Establish consistent, well-documented, repeatable processes for determining [FIPS 199]impact<br />
levels;<br />
Use risk assessment processes after the [FIPS 199] impact level has been defined, including<br />
criticality analysis, threat analysis, and vulnerability analysis;<br />
Implement a quality and reliability program that includes quality assurance and quality control<br />
process and practices;<br />
Establish a set of roles and responsibilities for ICT SCRM that ensures that the broad set of<br />
appropriate stakeholders are involved in decision making, including who has the required<br />
authority to take action, who has accountability for an action or result, and who should be<br />
consulted and/or informed (e.g., Legal, Risk Executive, HR, Finance, Enterprise IT, Program<br />
Management/System Engineering, Information Security, Acquisition/procurement, supply chain<br />
logistics, etc.);<br />
Ensure that adequate resources are allocated to information security and ICT SCRM to ensure<br />
proper implementation of guidance and controls;<br />
Implement consistent, well-documented, repeatable processes for system engineering, ICT<br />
security practices, and acquisition;<br />
Implement an appropriate and tailored set of baseline information security controls in <strong>NIST</strong> SP<br />
800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and<br />
Organizations [<strong>NIST</strong> SP 800-53 Rev. 4];<br />
Establish internal checks and balances to assure compliance with security and quality<br />
requirements;<br />
CHAPTER 1 PAGE 10