Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Note, this information included in this piece contains the most recent NIST updates as of 6/22/2022.
SP 800-161 Rev. 1 offers NIST’s latest guidelines on supply chain security, including new controls and metrics for cybersecurity supply chain risk management (C-SCRM),
updated guidance on risk appetite and risk tolerance, and updates to accompany new authorities under the Federal Acquisition Supply Chain Security Act of 2018 (FASCSA) and to respond to the May 2021 Executive Order 14028.
This report explains the biggest changes within the update, details how the revisions affect most security teams and recommends ways to address them.
On May 5, 2022, NIST released NIST SP 800-161 Rev. 1 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations), an update to its 2015 supply chain security guidance. This revision was already under way prior to the May 2021
release of Executive Order 14028 (Improving the Nation’s Cybersecurity), with the first call for comments released on Feb. 4, 2020. However, the revision was given additional standing and priority because it was listed as a task under the Executive
Order. Highlights of the revision include new focus on:
READ: 4 Steps to Customize a Risk Framework
Figure 1 comes from NIST and provides a visual representation of how an organization defines a risk appetite, using upper bounds for risk-taking and lower bounds for risk avoidance. Optimal risk management is between these two boundaries and exceeding
the risk appetite triggers a review by risk owners, including leadership, to determine if it is still within risk tolerance and to identify corrective actions.
The focus of this guidance is to provide an update on methods and practices to identify, assess and respond to cybersecurity risks throughout the supply chain—at all levels of an organization. The guidance is based on the latest NIST SP 800-53 Rev.
5 control update. A subset of 800-53 Rev. 5 controls relevant to C-SCRM are extracted and enhanced with additional guidance. In addition, new controls are added that are not included in the NIST control catalog (see Figure 2).
NIST SP 800-161 Rev. 1 primarily affects federal government departments and agencies, contractors, and software vendors subject to the FASCSA of 2018 and Executive Order 14028. In addition, organizations that do not sell software products or services
to the federal government or its contractors may find this guide useful to update their own supply chain security program.
Before jumping into the C-SCRM process, however, consider the size and scope of your firm. What is the breadth and depth of your vendor footprint, from cloud service providers to third-party software packages? How mature is your existing vendor risk management program, and how could it be updated to incorporate recommendations from this guidance?
NIST recommends tailoring this guidance using those factors, focusing first on identified foundational C-SCRM practices until you reach a base level of maturity. Then, you should move onto sustaining and enhancing practices. NIST also recommends organizations
first conduct a risk assessment of their C-SCRM capabilities. Companies select security controls based on the NIST SP 800-53 Rev. 5 overlay (see Figure 2) and then tailor and
implement those controls following the guidance in both documents. This includes consideration of your organization’s environment, operations, threats and data sensitivity.
For example, if you are just starting out in your C-SCRM program (foundational practices) and use an automated continuous integration/continuous delivery build process in your SDLC (a sustaining practice), you have some foundational work to complete before
you can incorporate C-SCRM best practices into your existing delivery process.
READ: Top Strategies for Identifying Software Supply Chain Risks
NIST SP 800-161 Rev. 1 includes several changes and updates designed to enhance your supply chain visibility and security. While it applies primarily to federal government agencies and contractors, other organizations can also use it to improve their
supply chain security. To get started:
The future of heightened software supply chain security expectations from government and regulated institutions is clear, and these expectations will likely flow down the vendor ecosystem. Improving your C-SCRM program today will help minimize the impact
when your customers require stronger supply chain security.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.