NIST.SP.800-161
NIST.SP.800-161
NIST.SP.800-161
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Special Publication 800-<strong>161</strong><br />
Supply Chain Risk Management Practices for Federal<br />
Information Systems and Organizations<br />
________________________________________________________________________________________________________<br />
List of Figures and Tables<br />
FIGURE 1-1: FOUR PILLARS OF ICT SCRM ....................................................................................................................... 4<br />
FIGURE 1-2: FEDERAL AGENCY RELATIONSHIPS WITH SYSTEM INTEGRATORS, SUPPLIERS, AND EXTERNAL SERVICE PROVIDERS WITH<br />
RESPECT TO THE SCOPE OF <strong>NIST</strong> SP 800-<strong>161</strong>. ........................................................................................................ 5<br />
FIGURE 1-3: ICT SUPPLY CHAIN RISK .............................................................................................................................. 7<br />
FIGURE 1-4: AN ORGANIZATION’S VISIBILITY, UNDERSTANDING, AND CONTROL OF ITS ICT SUPPLY CHAINS ................................. 8<br />
FIGURE 1-5: ICT SCRM SECURITY CONTROLS IN <strong>NIST</strong> SP 800-<strong>161</strong>, CHAPTER 3.5 .............................................................. 14<br />
FIGURE 2-1: RISK MANAGEMENT PROCESS .................................................................................................................... 16<br />
FIGURE 2-2: MULTITIERED ORGANIZATION-WIDE RISK MANAGEMENT ................................................................................ 18<br />
FIGURE 2-3: ICT SCRM RISK MANAGEMENT ................................................................................................................. 22<br />
FIGURE 2-4: ICT SCRM ACTIVITIES IN RISK MANAGEMENT PROCESS.................................................................................. 23<br />
FIGURE 2-5: ICT SCRM IN THE FRAME STEP .................................................................................................................. 25<br />
FIGURE 2-6: ICT SCRM IN THE ASSESS STEP .................................................................................................................. 34<br />
FIGURE 2-7: ICT SCRM IN THE RESPOND STEP ............................................................................................................... 41<br />
FIGURE 2-8: ICT SCRM IN THE MONITOR STEP .............................................................................................................. 46<br />
FIGURE 3-1: ICT SCRM SECURITY CONTROLS IN <strong>NIST</strong> SP 800-<strong>161</strong>, CHAPTER 3.5 .............................................................. 50<br />
FIGURE D-1: SAMPLE THREAT SCENARIO ANALYSIS FRAMEWORK ..................................................................................... D-4<br />
FIGURE E-1: ISO/IEC 15288 LIFE CYCLE PROCESSES ..................................................................................................... E-1<br />
FIGURE E-2: ICT SCRM PLAN AND LIFE CYCLES ............................................................................................................. E-2<br />
FIGURE E-3: AGENCY IMPLEMENTATION OF ICT SCRM PLAN ........................................................................................... E-7<br />
TABLE 2-1: SUPPLY CHAIN RISK MANAGEMENT STAKEHOLDERS ......................................................................................... 19<br />
TABLE 2-2: EXAMPLES OF ICT SUPPLY CHAIN THREAT AGENTS .......................................................................................... 27<br />
TABLE 2-3: SUPPLY CHAIN THREAT CONSIDERATIONS ....................................................................................................... 28<br />
TABLE 2-4: SUPPLY CHAIN VULNERABILITY CONSIDERATIONS ............................................................................................. 29<br />
TABLE 2-5: SUPPLY CHAIN CONSTRAINTS ....................................................................................................................... 31<br />
TABLE 2-6: EXAMPLES OF ICT SUPPLY CHAIN VULNERABILITIES MAPPED TO THE ORGANIZATIONAL TIERS .................................. 38<br />
TABLE 2-7: ICT SCRM PLAN CONTROLS AT TIERS 1, 2, AND 3 .......................................................................................... 45<br />
TABLE 3-2: ICT SCRM CONTROL FORMAT .................................................................................................................... 53<br />
TABLE A-1: ICT SCRM CONTROL SUMMARY ............................................................................................................... A-1<br />
TABLE C-1: ADVERSARIAL ICT SUPPLY CHAIN THREAT EVENTS ......................................................................................... C-1<br />
TABLE C-2: NON-ADVERSARIAL ICT SUPPLY CHAIN THREAT EVENTS ................................................................................. C-6<br />
Page vii