NIST.SP.800-161
NIST.SP.800-161
NIST.SP.800-161
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Special Publication 800-<strong>161</strong><br />
Supply Chain Risk Management Practices for Federal<br />
Information Systems and Organizations<br />
________________________________________________________________________________________________________<br />
Reports on Computer Systems Technology<br />
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology<br />
(<strong>NIST</strong>) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s<br />
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of<br />
concept implementations, and technical analyses to advance the development and productive use of<br />
information technology. ITL’s responsibilities include the development of management, administrative,<br />
technical, and physical standards and guidelines for the cost-effective security and privacy of other than<br />
national security-related information in federal information systems. The Special Publication 800-series<br />
reports on ITL’s research, guidelines, and outreach efforts in information system security, and its<br />
collaborative activities with industry, government, and academic organizations.<br />
Abstract<br />
Federal agencies are concerned about the risks associated with information and communications<br />
technology (ICT) products and services that may contain potentially malicious functionality, are<br />
counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply<br />
chain. These risks are associated with the federal agencies’ decreased visibility into, understanding of,<br />
and control over how the technology that they acquire is developed, integrated and deployed, as well as<br />
the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the<br />
products and services.<br />
This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT<br />
supply chain risks at all levels of their organizations. The publication integrates ICT supply chain risk<br />
management (SCRM) into federal agency risk management activities by applying a multitiered, SCRMspecific<br />
approach, including guidance on assessing supply chain risk and applying mitigation activities.<br />
Keywords<br />
Acquire; Information and Communication Technology Supply Chain Risk Management; ICT SCRM; risk<br />
management; supplier; supply chain; supply chain assurance; supply chain risk; supply chain risk<br />
assessment; supply chain security<br />
Acknowledgements<br />
The authors, Jon Boyens, National Institute of Standards and Technology (<strong>NIST</strong>), Celia Paulsen (<strong>NIST</strong>),<br />
Rama Moorthy (Hatha Systems), and Nadya Bartol (Utilities Telecom Council), would like to<br />
acknowledge and thank the ICT SCRM community, which has provided the authors invaluable insight<br />
and diverse perspectives to managing the ICT supply chain. We would especially like to thank Kelly<br />
Dempsey (<strong>NIST</strong>), Dr. Ron Ross (<strong>NIST</strong>), and Stephanie Shankles (Booz Allen Hamilton) for their<br />
contribution to the content during the document development and review. We would also like to thank<br />
numerous reviewers within the information technology community who took the time to provide valuable<br />
feedback and comments to the public drafts. Finally, we would like to thank the participants of <strong>NIST</strong>’s<br />
October 2012 ICT SCRM Workshop for providing the guiding foundation to the approach this<br />
publication has taken.<br />
Page iii