NIST icon
The Ultimate Guide to

NIST SP 800-161

NIST SP 800-161Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, guides organizations on identifying, assessing, and mitigating cyber supply chain risks at all levels of their organization. The publication integrates cyber supply chain risk management (C-SCRM) into risk management activities by applying a multi-level, C-SCRM-specific approach, including guidance on developing C-SCRM strategy, implementation plans, C-SCRM policies, and C-SCRM risk assessments for products and services.

The importance of a cybersecurity supply chain risk management program

Establishing a robust cybersecurity supply chain risk management program needs to be a top priority for every organization today–regardless of size or the nature of business. Supply chain-related cybercrime accelerated into overdrive in 2020 and is showing no signs of slowing. Supply chain breaches have become alarmingly prevalent, with over 60% of data breaches worldwide resulting from third-party exposure. In 2020, a whopping 90% of businesses experienced a cybersecurity incident like a data breach because of a third-party or supply chain failure.

Global giants in every industry feel the pain of overlooking supply chain risk. In early 2020, Solarwinds, a Texas-based IT management company, had their systems hacked with malicious code added to the popular Orion software product. Seemingly innocent software updates were responsible for infecting many high-end Solarwinds customers. The largest healthcare breach of 2020 occurred when a significant number of nonprofits using a fundraising platform designed by the cloud computing vendor Blackbaud had sensitive data stolen and held hostage. This famous ransomware supply chain attack negatively impacted approximately two dozen healthcare providers and 10 million patients.

Today, organizations rely heavily on third-party vendors and suppliers for products and services–probably more now than ever as outsourcing has become the wave of the present. Companies depend on extensive supply chain networks to run their businesses, operate efficiently, and serve customers.

Here lies the problem:
any security issues in your supply chain can instantly become your security issues and a severe risk for your organization. Supply chain risks often become magnified today because many organizations don’t have the processes, procedures, and practices to ensure the security, safety, integrity, quality, reliability, or trustworthiness of a product or service.

Why are supply chain risks so difficult to identify?

Think about it–how well do you know your suppliers and vendors? Organizations using third-party supply chains to acquire products and services face a lot of unknowns. Acquirers often don’t know how purchased technology is developed, integrated, and deployed or how providers deliver services. Also, most organizations have limited visibility into their supply chain’s security and compliance policies and practices. Here is a telling statistic – 69% of organizations admit they don’t have full visibility into their vendors’ security practices. 

Supply chains can introduce risk to your organization in numerous ways, and below are a few common means of entry and how they affect victims:

  • Proxy working on behalf of a nation-state or threat actor inserts malicious software into supplier-provided products sold to a government agency or private buyer, and a breach occurs, resulting in damages to the customer
  • System integrator working on behalf of agency reuses vulnerable code leading to breach of mission-critical data with national security implications
  • Criminal enterprise introduces counterfeit products resulting in loss of customer trust and confidence

Today, organizations choosing to ignore the security posture of their supply chain do so at their own peril. The consequences of such oversight can easily result in a breach with a heavy price tag today–according to IBM’s Cost of Data Breach Report 2021, the financial hit of suffering a breach has now reached 4.24 million. These weighty economic costs can include recovery, downtime, lost revenue, and potential fines and penalties for regulatory violations. All this, in addition to your company’s name being splashed across the news and the resulting fallout and reputational damage.

What is the purpose of NIST SP 800-161?

NIST SP 800-161 provides a trusted source of directional guidance on identifying, assessing, and mitigating supply chain risks for all types of businesses and organizations. This guideline is uniquely helpful in integrating C-SCRM into established risk management activities by applying a multi-level, C-SCRM-specific approach. NIST SP 800-161 provides in-depth instruction on creating C-SCRM strategy plans, policies, implementation, and risk assessments for products and services. The NIST SP 800-161 document was revised in both April and October of 2021, with the final version expected to be released in Q3 of 2022.

The introduction section of NIST SP 800-161 outlines the document’s purpose, introduces target audience profiles, and discusses owner/operator and supplier/enterprise relationships concerning C-SCRM.

The second section dives into the governance, organizational structures, roles, responsibilities, and activities performed across all three C-SCRM levels. Recent history shows us the critical importance of managing supply chain risk and making it a central pillar in any organization’s overall risk management program. Section 2 explains the integration of C-SCRM with the enterprise-wide risk management processes described in NIST SP 800-39, including the continuous and iterative steps of framing, assessing, responding to, and mitigating risk.

Section 2 also builds a business case for C-SCRM, discusses risk in supply chains, and explains the three-tiered, multi-level risk management approach created to ensure a seamless C-SCRM process. Each level contains stakeholders from multiple disciplines, including information security, engineering, HR, and legal, to collectively execute and continuously improve C-SCRM activities. Level 1 is the executive tier focusing on managing C-SCRM across the enterprise with high-level strategy, policy, and implementation planning. Level 2 is the mission business process tier focusing on directing activities on the mission business level with mid-level C-SCRM strategies, policies, and implementation plans. Level 3 is the operational tier focusing more on granular execution strategies and C-SCRM plans.

Section 3 of NIST SP 800-161 provides an in-depth look at the critical success factors required for any C-SCRM program. This section discusses the integration of C-SCRM into acquisition, supply chain info sharing, awareness and training, key practices, implementing measurement controls, and dedicating resources to your C-SCRM program.

What types of organizations would benefit from using NIST SP 800-161 guidance?

Any business or organization engaging third-party vendors or suppliers with whom they share sensitive customer or patient information can benefit from following NIST SP 800-161 guidelines. For instance, retail or e-commerce businesses storing sensitive customer information with card processors or cloud service providers; healthcare organizations using email providers, coding services, or cloud storage vendors to assist in the storing or transmitting of sensitive patient records; and banking or financial service companies buying software products for marketing, accounting, or security services. Ultimately, if your company does business with any suppliers or vendors that can access sensitive customer or patient information, now’s the time to become familiar with the guidance found in the NIST SP 800-161 framework.

What are the critical success factors for a supply chain risk management program?

Ready to begin building your organization’s supply chain risk management program? Below are the critical success factors your team should use as guidelines for program success:

Integrating C-SCRM with acquisition
  • Make sure your team considers S-CRM when selecting new vendors and service providers.
  • Have acquisition policies and processes in place stating that you will assess supply risk and make sure the risk is acceptable before purchasing a solution from a supplier.
Sharing supply chain information

Build a process to gain agreement from your suppliers, business partners, and peer enterprises to share supply chain risk information. This way, your organization can leverage the collective experience, knowledge, and capabilities of a sharing community to gain a complete understanding of the threats your company may face.

Initiating C-SCRM Training and Awareness

Many individuals within your organization contribute to the success of C-SCRM. These may include but are not limited to information security, procurement, risk management, engineering, software development, IT, legal, and HR. Examples of these group’s contributions include: 

  • System Owners hold responsibility for the development, procurement, integration, modification, operation, maintenance, and final retirement of an information system.
  • Human Resources defines and implements the background checks and education policies, which helps to ensure individual’s training in appropriate C-SCRM processes and procedures.
  • Legal helps draft or review C-SCRM-specific contractual language included in contracts with suppliers, developers, system integrators, external system service providers, and other information communication and operational technology-related service providers. 
  • Procurement defines the process for implementing supplier assurance practices within the procurement process 
  • Engineering designs products while understanding existing requirements for the use of open source components 
  • Software developers ensure the early identification of software vulnerabilities along with code testing and repair

Everyone in your organization, including the end-users of information systems, has a role in managing cybersecurity risk in the supply chain. Thus, your organization needs to use various communication methods to foster an understanding of the importance of C-SCRM, their specific roles and responsibilities, and the proper channels for reporting incidents. 

Individuals with more significant roles in managing cybersecurity risk in the supply chain should receive tailored training, helping them understand the scope of their responsibilities, specific processes, and procedure implementation for which they are responsible. This training must include the action steps necessary in the event of an incident, disruption, or other C-SCRM-related event.

Implementing fundamental practices

The following are the essential core practices of any risk management program:

  1. Establish a centralized, dedicated, multi-disciplinary C-SCRM Program Management Office team 
  2. Create a standard process for conducting risk assessments 
  3. Develop a process for identifying and measuring the criticality of the organization’s suppliers, products, and services 
  4. Raise awareness and foster understanding of C-SCRM and why it’s vital 
  5. Make sure C-SCRM is incorporated into your procurement policies and procedures 
  6. Establish consistent, well-documented processes to determine supplier impact levels  
  7. Use supplier risk assessment processes on a prioritized basis after defining vendor impact levels
  8. Establish clear collaborative and discipline-specific roles, accountabilities, structures, and processes for supply chain, cybersecurity, product security, and other relevant functions such as legal, risk executive, HR, finance, IT, system engineering, information security, and procurement
  9. Dedicate adequate resources to information security and C-SCRM, ensuring proper implementation of policy, guidance, and controls 
  10. Implement a tailored set of security controls using NIST SP 800-53 Revision 5 and Security and Privacy Controls for Information Systems and Enterprises as references 
  11. Implement internal checks and balances ensuring compliance with security and quality requirements 
  12. Implement an incident response management program so your incident response team can identify the root cause of security incidents, including those originating from your supply chain 
  13. Establish internal processes validating that suppliers and service providers are actively identifying and disclosing vulnerabilities in their products 
Measuring the effectiveness of your C-SCRM program

Measuring the performance of your C-SCRM program provides multiple organizational and financial benefits, like increasing stakeholder accountability for C-SRM performance, improving the effectiveness of C-SCRM activities, demonstrating compliance with laws and regulations, providing quantifiable input for resource allocation decisions, and the cost avoidance associated with reducing the impact or likelihood of a cyber-supply chain incident. 

Below are several ways of measuring and managing the effectiveness of your C-SCRM program: 

  • Using a framework such as NIST CSF to assess your C-SCRM capabilities 
  • Measuring progress of your C-SCRM initiatives towards completion 
  • Measuring the performance of your C-SCRM initiatives towards desired outcomes 
Dedicating resources

To stay on top of cybersecurity risk in the supply chain, your organization must dedicate adequate funds toward the effort. Securing and assigning C-SCRM funding is a sign of leadership’s commitment to the importance of C-SCRM and its relevance to economic security, thus ensuring the protection, continuity, and resilience of mission and business processes and assets.

What are critical C-SCRM security controls?

Let’s begin by asking a critical question: what specific C-SCRM security controls should your organization have in place? 

NIST defines security controls as the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.  

NIST SP 800-53 defines multiple cybersecurity supply chain-related controls within the catalog of information security controls.

NIST SP 800-161 Appendix A: C-SCRM Security Controls

Controls identifies and augments C-SCRM-related controls with supplemental guidance, providing new controls as appropriate. The security control families that your team should become familiar with include the following:

Access control

Supplier’s system access must be managed to prevent unauthorized release, modification, or destruction of information. Access should be limited only to the necessary type, duration, and level for authorized enterprises and monitored for impact on the supply chain.

Awareness and training

This family expands the Awareness and Training control of FIPS 200 to include C-SCRM. It discusses the training component behind understanding supply chain security challenges and the appropriate processes and controls to mitigate cybersecurity risk in the supply chain.

Audit and accountability

Information system audit records must be created and stored to monitor, investigate, and analyze unlawful or inappropriate system activity. This control also monitors and traces all system users’ actions.

Assessment, authorization, and monitoring

Information system controls must be assessed periodically to ensure correct function, and plans to correct any deficiencies and eliminate potential vulnerabilities must be developed and implemented. Information systems must also be continually monitored to ensure the effectiveness of controls.

Configuration management

Baseline configurations and inventories of information systems (e.g., hardware, software, firmware, documentation) must be established throughout the system development life cycle (SDLC). Additionally, security configuration settings must be created for all information system products.

Contingency planning

Guidelines must be created to establish and implement plans covering emergency response, backup operations, and post-disaster recovery for information systems and supply chains.

Identification and authentication

System components must be identified and authorized in addition to individuals and processes acting on behalf of individuals within the supply chain network. 

Incident response

Effective incident handling capability must be established within information systems and supply chains, including adequate preparation, detection, analysis, containment, recovery, and user response activities. All incidents must be tracked, documented, and reported to appropriate officials and authorities.

Maintenance

Maintenance must be performed on information systems while providing adequate controls for the tools, techniques, mechanisms, and personnel involved. C-SCRM should be applied to maintenance, including assessing cybersecurity risk in the supply chain, selecting C-SCRM controls, implementing these controls, and continued monitoring to ensure proper function. 

Media protection

Paper and digital media must be protected across the supply chain with access limited to authorized users. Additionally, all system media must be sanitized or destroyed before disposal.

Physical and environmental protection

Physical access to information systems, equipment, and operating environments must be limited to authorized personnel, while physical assets, infrastructure, and information systems within the supply chain must be safeguarded from environmental hazards.

Planning

Security plans must be developed, documented, implemented, and updated for supply chain information systems that describe current security controls and set the behavior guidelines for individuals accessing the systems.

Program management

Minimum security control requirements aren’t specified by FIPS 200 for program management. However, any program management controls should be applied in a C-SCRM context, providing guidance and feedback for enterprise-wide C-SCRM activities. These controls should apply across the entire enterprise while supporting an overarching information security program.

Personnel security

Ensures individuals in positions of responsibility meet established security criteria for those positions and protects supply chain information systems during personnel moves like terminations and transfers. Imposes formal sanctions for those failing to comply with personnel security policies.

Personally identifiable information processing and transparency

This is a new control family, explicitly developed to address the processing and transparency concerns of personally identifiable information (PII) within supply chains. Enterprises must build their PII processing and transparency policies and procedures with an eye on supply chain risk management and system security.

Risk assessment

Risk to organizational operations, assets, and individuals resulting from the operating of information systems must be periodically assessed in light of maintaining effective supply chain risk management.

System and service acquisition

Sufficient resources must be allocated to adequately secure organizational information systems and ensure all third-party suppliers follow similar protocols to protect the information, applications, products, and services outsourced from the company.

System and communications protection

Organizational communications must be monitored, controlled, and protected at both internal and external information system boundaries, employing architectural designs, software development techniques, and systems engineering principles to deliver adequate information security. 

System and information integrity

Teams must monitor information security alerts and take appropriate action to identify, report, and correct system flaws quickly. This includes protecting against malicious code at appropriate locations within information systems.

Supply chain risk management

FIPS 200 doesn’t specify minimum security requirements for supply chain risk management. NIST SP 800-53 Rev. 5 established this as a new control family with SP (800-161 R1), including all SR control enhancements from SP 800-53 Rev. 5 regarding supply chain risk management.

Who should be involved in a cybersecurity supply chain risk management program?

As an organization attempting to manage supply chain risk, you must keep in mind that building and operating a successful C-SCRM program is a complicated and challenging undertaking. The process will require a cultural transformation fueled by a tri-layered, team-oriented, multi-disciplinary approach. C-SCRM must be supported by the committed engagement of a wide array of your internal stakeholders infusing perspectives from all disciplines and the cooperation and assistance of external stakeholders like suppliers, developers, and system integrators.

To maximize the effectiveness of your C-SCRM program in controlling supply chain risk, you will want to use a multi-level, enterprise-wide risk management approach to define roles and assign responsibility. These are the three levels your organization needs to include:

Executive leadership (Level 1)

Composed primarily of C-suite positions, will frame risk for the enterprise and set the risk appetite. They will orchestrate risk management from the top down by defining enterprise C-SCRM strategy and high-level implementation plans, policies, goals, and objectives. The executive level will also form and institute governance structures and operating models while taking the lead in making enterprise-level CSCRM decisions. Finally, Executive leadership leads the creation of a C-SCRM Program Management Office (PMO).

Business management (Level 2)

Composed of Program Management [PM], Research and Development [R&D], Engineering [SDLC oversight], Acquisition and Supplier Relationship Management/Cost Accounting, and other management related to reliability, safety, security, and quality as well as the C-SCRM PMO. This second level will frame and manage enterprise risk related to the mission/business process. They are also responsible for developing mission and business process-specific strategy, procedures, guidance, constraints, and implementation plans. Business management should collaborate with the C-SCRM PMO while reporting on C-SCRM to Level 1 and acting on reports from Level 3.

Systems Management (Level 3)

Comprised of architects, developers, System Owners, QA/QC, test contracting personnel, C-SCRM PMO staff, control engineers, and control system operators. Systems Management is responsible for developing C-SCRM plans while implementing C-SCRM policies and requirements. They must adhere to constraints provided by both Level 1 and 2 while providing reports on C-SCRM to Level 2. Systems Management’s most critical role in managing risk may be tailoring C-SCRM to the context of individual systems and applying it throughout the SDLC.

Ready to get your C-SCRM program up and running?

Your organization’s C-SCRM program can be operationalized using a centralized, decentralized, or hybrid model

In a centralized model, you can concentrate and assign certain C-SCRM activities to a central PMO. The PMO acts as a service provider for other business processes and groups. The PMO could provide beneficial services such as:

  • Advisory services and subject matter expertise 
  • Chair internal C-SCRM working groups or councils
  • Act as a centralized hub for tools, assistance, awareness, and training templates
  • Conduct supplier and product risk assessments
  • Act as a liaison to external stakeholders
  • Manage a C-SCRM risk register 
  • Oversee C-SCRM project and performance management  

If you choose a decentralized model for your C-SCRM program, more responsibility will fall on the individual stakeholders within the three levels–Executive Leadership, Business Management, and Systems Management. A decentralized model lacks the oversight and coordination provided by a PMO. Smaller organizations with fewer resources and processes to manage may benefit from this type of model. Also, keep in mind that a hybrid model exists if your organization wants to maintain some degree of central control but not commit to a fully centralized approach. Ultimately, ownership and accountability for supply chain risk lie with organizational leadership. Base the model you choose to operationalize your C-SCRM program on available resources and management’s preferred approach.

NIST SP 800-161 Appendices

Whichever model your organization selects to guide your C-SCRM program, it’s essential to become familiar with the appendices provided in the NIST SP 800-161 document. These appendices provide additional information and guidance to help your organization design and implement an effective C-SCRM program.

  • Appendix A – This Appendix discusses how security controls help mitigate risk to information systems and supply chain infrastructure. The section introduces twenty (20) C-SCRM control families, including relevant controls and supplemental guidance. 
  • Appendix B – This Appendix lists the C-SCRM controls in NIST SP 800-161 and maps each of them to their corresponding [NIST SP 800-53 Rev. 5] controls as appropriate. 
  • Appendix C – This Appendix provides an example of a Risk Exposure Framework for C-SCRM that can help enterprises address potential and identified threats. The framework contains six examples that demonstrate how to identify vulnerabilities, describe specific threat sources, show the expected impact on the enterprise, and propose C-SCRM controls to help mitigate risk.
  • Appendix D – This Appendix provides examples of templates outlining the typical components of the C-SCRM strategy and implementation plan.
  • Appendix E – This Appendix augments the current content in NIST SP 800-161 Revision 1. It provides additional guidance specific to federal executive agencies on supply chain risk assessment factors, assessment documentation, risk severity levels, and risk response. 
  • Appendix F – The purpose of this Appendix is to guide IT, C-SCRM PMO, acquisition/procurement, and other functions to facilitate compliance with the relevant EO. This guidance includes applying existing SP 800-161 Rev. 1 controls to suppliers and, where feasible, adopting new software supply chain security recommendations that previously fell outside of the explicit scope of SP 800-161 Rev. 1.

How Hyperproof Supports Cybersecurity Supply Chain Risk Management

Hyperproof’s compliance operations software helps organizations implement a robust cyber supply chain risk management program. Sign up for a personalized demo to see how you can use Hyperproof to manage a C-SCRM program efficiently.

NIST 800-161

Build a C-SCRM program based on the NIST SP 800-161 framework. The Hyperproof platform comes with this framework’s security controls out of the box.

Assign C-SCRM activities to process and control owners while keeping team members accountable.

Maintain a single database of all entities in your supply chain.

Conduct supplier or vendor risk assessments, analyze results, and prioritize risk mitigation activities.

Efficiently coordinate vendor remediation workflows and track the status of issues.

Easily map your C-SRM activities to requirements within regulatory frameworks and demonstrate compliance with no extra effort.

Document, organize, and centrally store all compliance artifacts, including C-SCRM policies, plans, risk assessment results, and remediation activities.

Save time retrieving compliance artifacts for audits.

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get NIST CSF ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader