The National Institute of Standards and Technology (“NIST”) has announced the release of NIST Special Publication 800-161Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

According to the NIST, Federal agencies are concerned as to the risks associated with information and communications technology (“ICT”) products and services, including those that may contain potentially malicious functionality which are counterfeit, or are vulnerable due topoor manufacturing and development practices within the ICT supply chain.
SP 800-161 provides guidance to Federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations; as well as integrating ICT supply chain risk management (“SCRM”) into Federal agency risk management activities, by applying a multi-tiered, SCRM-specific approach, including guidance on assessing supply chain risk and applying mitigation activities. It also builds on existing practices from multiple disciplines and is intended to increase the ability of organizations to strategically manage ICT supply chain risks over the entire life cycle of systems, products, and services. 

According to the SP 800-161, organizations should ensure that tailored ICT SCRM Plans are designed to:

  • Manage, rather than eliminate risk;
  • Ensure that operations are able to adapt to constantly evolving threats;
  • Be responsive to changes within their own organization, programs, and the supporting information systems; and
  • Adjust to the rapidly evolving practices of the private sector's global ICT supply chain.

Organizations should be aware of the fact that implementing these controls will involve and require financial and human resources. The challenge of balancing ICT supply chain risks with the costs and benefits of mitigating controls should be a key component of the acquirer’s overall approach to ICT SCRM.