NIST Special Publication 800-161 is a foundational cybersecurity guidance document developed by the National Institute of Standards and Technology (NIST).
NIST 800-161 R1 is designed to help manage cybersecurity risks in an organization’s supply chains, which are increasingly being targeted by sophisticated cyber threats.
NIST 800-161 is the US Government's authoritative guide for securing the supply chain from cyber threats, including initiatives such as the GSA OASIS+ that requires conformity with NIST 800-161 R1. This C-SCRM framework outlines a risk-based, tiered approach to identifying and mitigating risks associated with third-party products, services and vendors. As supply chain attacks become more prevalent and sophisticated, adopting NIST 800-161 R1 is critical for organizations aiming to build a resilient cybersecurity posture in both government and industry settings.
The primary purpose of NIST SP 800-161 is to provide guidance on integrating Cybersecurity Supply Chain Risk Management (C-SCRM) into organizational risk management practices. NIST 800-161 R1:
NIST 800-161 recognizes that supply chains are global, complex and dynamic, often involving multiple tiers of suppliers. As such, the publication outlines a comprehensive and strategic approach for identifying, assessing and mitigating supply chain-related risks to systems and data.
Key elements from NIST 800-161 R1 include:
NIST 800-161 R1 also encourages organizations to consider C-SCRM risks during all stages, including:
