Draft (2nd) NIST Special Publication 800- 161 1 Revision 1 2 Cyber security Supply Chain Risk 3 Management Practices for Systems 4 and Organizations 5 6 7 Jon Boyens 8 Angela Smith 9 Nadya Bartol 10 Kris Winkler 11 Alex Holbrook 12 Matthew Fallon 13 14 15 16 17 This publication is available free of charge from: 18 https://doi.org /10.6028/ NIST.SP.800 -161r1- draft2 19 20 Draft (2nd) NIST Special Publication 800 -161 21 Revision 1 22 23 Cybersecurity Supply Chain Risk 24 Management Practices for Systems 25 and Organizations 26 27 Jon Boyens 28 Angela Smith 29 Computer Security Division 30 Information Technology Laboratory 31 32 Nadya Bartol 33 Kris Winkler 34 Alex Holbrook 35 Matthew Fallon 36 Boston Consulting Group 37 38 39 This publicatio n is available free of charge from: 40 https://doi.org/10.6028/ NIST.SP.800 -161r1- draft2 41 42 October 2021 43 44 45 46 47 48 U.S. Department of Commerce 49 Gina M. Raimondo, Secretary 50 51 National Institute of Standards and Technology 52 James K. Olthoff , Performing the Non- Exclusive Functions and Duties of the Under Secretary of Commerce 53 for Standards and Technology & Director, National Institute of Standards and Technology 54 i Authority 55 This publication has been developed by NIST in accordance with its statutory responsibilities under the 56 Federal Information Security M odernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq. , Public Law 57 (P.L.) 113 -283. NIST is responsible for developing information security standards and guidelines, incl uding 58 minimum requirements for federal information systems, but such standards and guidelines shall not apply 59 to national security systems without the e xpress approval of appropriate f ederal officials exercising policy 60 authority over such systems. This guideline is consistent with the requirements of the Office of Management 61 and Budget (OMB) Circular A -130. 62 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and 63 binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these 64 guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, 65 Director of the OMB, or any other f ederal official. This publication may be used by nongovernmental 66 organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, 67 however, be appreciated by NIST. 68 National Institute of Standards and Technology Special Publication 800- 161 Revision 1 69 Natl. Inst. Stand. Technol. Spec. Publ. 800- 161 Rev. 1 , 338 pages (October 2021) 70 CODEN: NSPUE2 71 72 This publication is available free of charge from: 73 https://doi.org/10.6028/ NIST.SP.800 -161r1 -draft2 74 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 75 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 76 endorsement by NIST, nor is it inte nded to imply that the entities, materials, or equipment are necessarily the best 77 available for the purpose. 78 There may be references in this publication to other publications currently under development by NIST in accordance 79 with its assigned statutory re sponsibilities. The information in this publication, including concepts and methodologies, 80 may be used by federal agencies even before the completion of such companion publications. Thus, until each 81 publication is completed, current requirements, guideline s, and procedures, where they exist, remain operative. For 82 planning and transition purposes, federal agencies may wish to closely follow the development of these new 83 publications by NIST. 84 Organizations are encouraged to review all draft publications during public comment pe