| CARVIEW |
This is a potential security issue, you are being redirected to https://csrc.nist.gov.
An official website of the United States government
Here’s how you know
Official websites use .gov
A
.gov website belongs to an official government
organization in the United States.
Secure .gov websites use HTTPS
A
lock (
) or https:// means you’ve safely connected to
the .gov website. Share sensitive information only on official,
secure websites.
NIST SP 1326 (Initial Public Draft)
NIST Cybersecurity Supply Chain Risk Management: Due Diligence Assessment Quick-Start Guide
Date Published: October 30, 2024
Comments Due: December 16, 2024 (public comment period is CLOSED)
Email Questions to:
[email protected]
Author(s)
National Institute of Standards and Technology
Announcement
Supply chain risk assessments start with due diligence. Acquirers who make procurement decisions need to be informed about potential supplier risks before those decisions are executed. Consequently, many acquisition operating procedures strongly recommend or even require an assessment of a supplier’s risk prior to entering into an agreement with them.
Based on the widely adopted content in NIST Special Publication (SP) 800-161r1, this new draft Quick-Start Guide proposes an implementation-ready approach to conducting the minimum amount of investigative rigor on potential suppliers. Identifying the primary risk factors that an acquirer should consider can enable quick turnarounds with limited resources.
Abstract
Due diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program capabilities with considerations for creating due diligence supply chain risk assessments in accordance with NIST Special Publication (SP) 800-161r1 (Revision 1). While due diligence supplier assessments can be applied to any type of supplier, this Quick-Start Guide is scoped to information and communications technology (ICT) suppliers. The components of a Due Diligence Assessment are Supply Chain Tiers; Foreign Ownership, Control, or Influence (FOCI); Provenance; Stability; and Foundational Cyber Practices.
Due diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program capabilities with considerations for creating due diligence supply chain risk assessments in accordance with NIST Special Publication (SP) 800-161r1 (Revision 1). While due diligence supplier assessments can be applied to any type of supplier, this Quick-Start Guide is scoped to information and communications technology (ICT) suppliers. The components of a Due Diligence Assessment are Supply Chain Tiers; Foreign Ownership, Control, or Influence (FOCI); Provenance; Stability; and Foundational Cyber Practices.
Hide full abstract
Keywords
cybersecurity supply chain risk management; due diligence; C-SCRM; risk assessment; information and communications technology; ICT; quick-start guideControl Families
Risk Assessment; Supply Chain Risk Management
Documentation
Publication:
https://doi.org/10.6028/NIST.SP.1326.ipd
Download URL
Supplemental Material:
NIST C-SCRM Project
Document History:
10/30/24: SP 1326 (Draft)