NIST.SP.800-161
NIST.SP.800-161
NIST.SP.800-161
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Special Publication 800-<strong>161</strong><br />
Supply Chain Risk Management Practices for Federal<br />
Information Systems and Organizations<br />
________________________________________________________________________________________________________<br />
Security requirements<br />
An organization ICT SCRM policy is a critical vehicle for guiding ICT SCRM activities. Driven by<br />
applicable laws and regulations, this policy should support applicable organization policies including<br />
acquisition and procurement, information security, quality, and supply chain and logistics. It should<br />
address goals and objectives articulated in the overall agency strategic plan, as well as specific mission<br />
functions and business goals, along with the internal and external customer requirements. It should also<br />
define the integration points for ICT SCRM with the agency’s Risk Management Process and SDLC.<br />
ICT SCRM policy should define ICT SCRM-related roles and responsibilities of the agency ICT SCRM<br />
team, any dependencies among those roles, and the interaction among the roles. ICT SCRM-related roles<br />
will articulate responsibilities for collecting ICT supply chain threat intelligence, conducting risk<br />
assessments, identifying and implementing risk-based mitigations, and performing monitoring functions.<br />
Identifying and validating roles will help to specify the amount of effort that will be required to<br />
implement the ICT SCRM Plan. Examples of ICT SCRM-related roles include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
Risk executive function that provides overarching ICT supply chain risk guidance to engineering<br />
decisions that specify and select ICT products as the system design is finalized;<br />
Procurement officer and maintenance engineering responsible for identifying and replacing the<br />
hardware when defective;<br />
Delivery organization and acceptance engineers who verify that the part is acceptable to receive<br />
into the acquiring organization;<br />
System integrator responsible for system maintenance and upgrades, whose staff resides in the<br />
acquirer facility and uses system integrator development infrastructure and the acquirer<br />
operational infrastructure;<br />
System Security Engineer/Systems Engineer responsible for ensuring that information system<br />
security concerns are properly identified and addressed; and<br />
The end user of ICT systems/components/services.<br />
ICT SCRM requirements should be guided by the ICT SCRM policy, as well as by the mission functions<br />
and their criticality at Tier 2 and by known functional and security requirements at Tier 3.<br />
RISK TOLERANCE<br />
TASK 1-3: Identify the level of risk tolerance for the organization.<br />
Supplemental Guidance:<br />
Risk tolerance is the level of risk that organizations are willing to accept in pursuit of strategic goals and<br />
objectives [<strong>NIST</strong> SP 800-39]. Organizations should take into account ICT supply chain threats,<br />
vulnerabilities, constraints, and baseline criticality, when identifying the overall level of risk tolerance. 17<br />
17<br />
Federal Departments’ and Agencies’ governance structures vary widely (see [<strong>NIST</strong> SP 800-100, Section 2.2.2]). Regardless of<br />
the governance structure, individual agency risk decisions should apply to the agency and any subordinate organizations, but not<br />
in the reverse direction.<br />
CHAPTER 2 PAGE 32