NIST 800-161 — also identified as NIST Special Publication (SP) 800-161 — was published in April 2015 as Supply Chain Risk Management Practices for Federal Information Systems and Organizations. In May 2022, a year after President Biden’s Executive Order on Improving the Nation’s Cybersecurity, NIST produced a revised version, NIST 800-161 rev. 1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. The revision added a focus on cybersecurity and dropped the specificity of federal agencies from the title.
NIST is the US Department of Commerce’s National Institute of Standards and Technology, which aims to improve economic security and quality of life via innovation. From a cybersecurity standpoint, NIST aims to help industry, federal agencies, and the public by developing cybersecurity standards, best practices, and resources.
This NIST cybersecurity framework helps federal agencies concerned about the potential threats linked to information and communications technology (ICT) products and services, including poor configuration management, vulnerabilities that hackers could exploit, or weaknesses in third-party suppliers’ computer security, such as how they handle authentication and access control.
While government agencies and federal suppliers have used the framework to improve their cybersecurity awareness, incident response strategies, and risk mitigation practices, the revised document is flexible enough to be used by organizations in any sector.
Who Can Use NIST SP 800-161 Rev. 1?
With NIST SP 800-161 rev. 1 guidelines, an organization has a framework to examine any part of a supply chain and identify, assess, and mitigate cybersecurity risks. NIST SP 800-161 rev. 1 integrates cybersecurity supply chain risk management (C-SCRM) and risk management, helping companies form directives, strategies, implementation plans, policies, and supply chain risk assessments for products and services.
It is not a roadmap to an agreed level of capability, but organizations of all sizes and structures can adapt the guidelines to implement sufficient supply chain risk management activities and ensure they meet minimum security requirements to protect themselves, their clients, and their business partners.
Anyone with the following responsibilities might use the guidelines:
- Information security
- Privacy or risk management processes
- System development
- Project management
- Product and services acquisition and procurement
- Security and privacy implementation
- Security and privacy assessment
- Commercial services that support information security or privacy
The following organizational roles are examples of stakeholders that might benefit from using the NIST 800-161 rev. 1 guideline:
- Business owners
- Program managers
- Chief information officers
- Chief information security officers (CISOs)
- System engineers
- Hardware and software developers
- Acquisition and procurement officials
- Contracting officers
- Certified project managers
- Privacy engineers
- Property managers
- System administrators
- System security or privacy officers
- Independent verifiers
Is NIST 800-161 Mandatory?
Yes, compliance with NIST publications is required for federal agencies. For non-government organizations, however, using the NIST cybersecurity framework is voluntary.
What’s the Difference Between NIST SP 800-53 and NIST SP 800-161?
The NIST 800 series describes the US policy on computer security and network infrastructure. NIST SP 800-53 gives an overview of all the minimum security safeguards required to achieve information security with this framework.
NIST 800-161 is complimentary to NIST 800-53. It incorporates ICT supply chain risk management, providing updated guidance on identifying, assessing, and responding to supply chain risks throughout an organization.
So NIST 800-53 summarizes the first moves for companies wishing to develop or improve cybersecurity programs with the NIST cybersecurity framework. Once an organization has implemented NIST 800-53, it can then use NIST 800-161 to mature its supply chain security.
What’s the Difference Between NIST SP 800-161 and NIST SP 800-171?
The main difference between NIST SP 800-161 and NIST SP 800-171 is that NIST 800-171 is specifically tailored to regulating federal agencies and related third parties on handling Controlled Unclassified Information (CUI). Although CUI is not “classified information”, or information that is deemed a threat to national security if exposed, it still embodies all sensitive government data that the government handles.
NIST 800-161 is primarily used to define and handle supply chain risks that may affect an organization. Both publications can be used together if entities within the supply chain handle CUI and, therefore, must abide by its rules.
Supply Chain Risks
NIST generally considers Supply Chain Risk Management (SCRM) and Cyber Supply Chain Risk Management (C-SCRM) - which overlaps with traditional information security - the same concept. Exploring NIST 800-161 rev. 1 guidelines can help businesses concerned with ICT supply chain risks or seeking information on supply chain security and this area of risk management.
Defining the Supply Chain
Day-to-day business processes that lead to the creation, distribution, or sale of products and services typically rely on supplies from other businesses, whether these supplies are products, services, or raw materials.
The supply chain might be simple for a small firm, but enterprise-level operations tend to have a complex supply chain ecosystem of interconnected parts, typically with a wide geographic distribution, especially with IT service providers that need not be bound by geographic location.
A supply chain, therefore, refers to the linked set of processes and resources required at various levels of an enterprise. It begins with sourcing products and services and continues throughout the product or service's lifecycle.
With advanced communications, manufacturing techniques, and logistics, organizations can achieve significant cost reductions and other benefits with information sharing and proper management of their supply chains. For example, open-source or off-the-shelf software solutions can help businesses in all sectors be more cost-effective.
However, the multitude of solutions and avenues within the supply chain also increases the potential risk. Furthermore, digital security risks in the software supply chain can be hard to detect until they impact the acquirer or user.
What is Supply Chain Risk?
Supply chain risk concerns businesses because it’s harder to understand and mitigate third-party vulnerabilities than an organization’s direct issues. The security concerns of an organization also exist within their third-party providers’ organizations, but seeing those issues and ensuring they are dealt with is more challenging since they are external to the organization. Identifying and assessing a third-party solution provider’s resilience, safety, quality, and security is challenging.
It’s essential to consider and clarify that suppliers also have supply chains. This means that a firm’s security is not only impacted by its suppliers’ vulnerabilities but its suppliers’ vulnerabilities, too. A cyber attack may occur in an organization or several tiers down its supply chain. This risk, nonetheless, needs analysis, assessment, mitigation, and contingency planning.
How NIST 800-161 Helps Organizations
NIST 800-161’s focus on supply chain controls helps organizations mature their cybersecurity practices and benefits them in several key areas:
- Effective Risk Management
- Assessing Software Vendors
- Evaluation of Open-Source Software
1. Risk Management
NIST 800-161’s guidelines are aimed at larger public organizations, but the overall objectives for all businesses will be similar: to develop, implement, and refine monitoring and to reduce supply chain risk.
According to the guidelines, risk management works best when it involves people from various important business processes. Restricting cybersecurity risk management to security or technical personnel is unlikely to provide robust, company-wide solutions.
It’s up to the organization whether it builds on its existing risk management structure or creates a separate team to focus on the supply chain. Whichever the case, organizations should consider strategy, operations, and tactics.
NIST 800-161’s Appendix D helps users get started with strategy and drafting policy documents. Its six sections, as follows, are particularly useful to the C-suite and system managers, such as developers and engineers.
- Authority and compliance
- Strategy objectives
- Implementation plan and progress tracking
- Roles and responsibilities
- Revision and maintenance
In addition, NIST offers four key practices to stay on top of threats with continuous risk management.
- Framing risk - this helps the organization decide what it understands by risk and how to estimate its security posture considering the current threat landscape. The organization must also consider what threats and business areas to prioritize.
- Assessing risk - this consideration helps organizations hone in on how likely they are to be impacted by identified risks and how significant the damage could be.
- Responding to risk - Having identified and prioritized risks, it’s time to implement strategies to mitigate those issues.
- Monitoring risk - NIST 800-161 highlights this crucial step in risk management practices. By monitoring its risk mitigation strategies, the firm can get valuable insights into how it stands against the evolving cyber threat landscape.
2. Assessing Software Vendors
Assessing software vendors is critical to ensure that the software used by federal organizations does not have exposed vulnerabilities. On the contrary, developers may release software knowing it must be patched to ensure reliability and safety.
Introducing new software can be a high-risk activity. NIST 800-161 helps organizations work with software vendors, starting at the procurement stage and through the product lifecycle.
The guidelines feature a comprehensive checklist to this effect, including the following steps:
- Investigation of suppliers in terms of foreign ownership, control, or influence (FOCI)
- Seeking a bill of materials, a comprehensive list of physical resources required to produce an end-product - since Biden’s executive order in 2021, organizations working with federal agencies must provide a bill of materials
- Verifying the presence and alignment of information security controls
- Verifying that open source software has been vetted before use
3. Mitigating Risk from Open-Source Software
According to the Linux Foundation, Free and Open Source Software (FOSS) makes up between 70% and 90% of modern software solutions.
NIST 800-161 helps organizations acquire and use open-source software according to helpful standards to protect information security. One of its recommendations is that organizations use approved, verified sources for open-source software to limit exposure to cybersecurity risks via this part of the digital supply chain.
It specifies that organizations must educate themselves and follow best practices established by the open-source software community, including configuration management, project maintenance, and procedures regarding reusable libraries that limit exposure to cybersecurity risks.
Key Cyber-Supply Chain Risk Management (C-SCRM) Practices
Once a firm has achieved a basic level of cybersecurity maturity — using NIST standards or one or more other reputable frameworks, such as ISO 27001 — it can then use NIST 800-161 to focus on managing cyber supply chain risks, focusing on the publication’s essential practices, including:
- Formalizing C-SCRM
- Making C-SCRM company-wide
- Identifying and managing critical products, services, and suppliers
- Assessing and monitoring the entire supply chain
- Collaboration with critical suppliers
NIST 800-161 helps firms get a handle on supply chain risks with guidance through three distinct practice types:
- Foundational Practices
- Sustaining Practices
- Enhancing Practices
NIST 800-161 guidelines demonstrate that they appreciate the challenges organizations face when improving supply chain cybersecurity. Its foundational practices are many and varied, each helping businesses move incrementally toward improved supply chain cybersecurity and more advanced supply chain cybersecurity practices.
Foundational practices suggested by NIST 800-161 include the following:
- Raising awareness of the vital importance of C-SCRM
- Allocating sufficient resources for information security and C-SCRM
- Establishing a C-SCRM team
- Integrating C-SCRM into organizational policies
- Integrating C-SCRM into acquisition/procurement policies
- Implementing a risk management process, including company-wide risk assessment
- Identifying and measuring the criticality of products, services, and suppliers
- Prioritizing supplier risk
- Establishing collaborative roles and processes for the supply chain and cybersecurity
- Establishing quality control and internal check procedures
- Implementing an incident management program that can identify security incidents that originate in the digital supply chain
There is some overlap between these and foundational practices. Businesses should focus more on sustaining practices having achieved proficiency with foundational practices, ready to take C-SCRM to the next level.
NIST 800-161’s sustaining practices include:
- Assessing critical suppliers via third-party assessments, site visits, and formal certifications
- Defining the organization’s tolerance to risk so that stakeholders can make decisions in line with the organization’s security posture and its attitude to supply chain risks
- Working with the Federal Acquisition Security Council (FASC) to share knowledge of cyber supply chain risks
- Considering C-SCRM (evidenced by documented policies and processes) at every stage of the service and product lifecycle
- Including C-SCRM considerations in organizational training, including but not limited to training related to information security, risk management, HR, and procurement
- Communicating the firm’s requirements and standpoint on C-SCRM to its current and future suppliers
- Working with the organization’s supply chain to improve cybersecurity throughout
- Using C-SCRM metrics to assess and improve the efficacy of all policies, procedures, and activities
This stage of C-SCRM practices refers to moving an organization into a position where it can predict supply chain risks and adapt quickly. Therefore, it’s the remit of organizations with more mature C-SCRM practices, having followed foundational and sustaining practices for some time.
Enhancing practices include:
- Automating C-SCRM processes to refocus resources on other critical C-SCRM activities
- Performing quantitative risk analyses to make risk assessments more accurate and risk management more effective
- Using insights to adapt to predicted changes in cyber supply chain risk
ICT SCRM Program Security Controls
According to NIST, security controls aim to protect the confidentiality, integrity, and availability of information systems and the information they process, store, and transmit. NIST 800-53 describes 19 security control families to help organizations use its SCRM control assessment techniques.
The NIST 800-53 regulatory standard gives minimum acceptable information security controls required for all US federal information systems and organizations. The benefits of using this as a template include its flexibility, standardized measures that help organizations compare and measure their activities, and its ability to improve information systems’ security postures.
Used with NIST SP 800-161, it provides a baseline that helps organizations understand their current security postures, prioritize areas that need urgent attention, and measure the effectiveness of their risk management programs.
1. Access Control
The access control family pertains to guidance on implementing policies that govern access privileges to networks, systems, and devices. Proper access control can dramatically reduce the risk of a data breach and other risks related to an organization’s digital supply chain.
2. Awareness Training
Awareness training guides organizations regarding defining and implementing training and education for cyber awareness and methods for making cybersecurity training a sustainable strategy to reduce cyber risks.
Training is essential to strengthen a business’s front line against cyber attacks. By ensuring that awareness training is a core part of a business’s cybersecurity strategy, users can identify threats to data privacy and system security. Furthermore, they will improve a firm’s security posture by being able to respond to cyber threats promptly and appropriately.
3. Audit and Accountability
Event logging is an important part of any cybersecurity system. Logs help cybersecurity professionals identify the locations and sources of problems during a cyber incident, like a data breach or data leak.
With adequate logs, it’s possible to determine who had access to affected data, who was using the system at the time of the incident, and whether the unusual activity occurred on the network. Log audits, therefore, help mitigate breaches and other system issues, as well as being a resource for accountability.
4. Assessment, Authorization, and Monitoring
This set of controls helps firms continuously improve their cybersecurity policies, procedures, and systems. It helps organizations assess their current cybersecurity maturity and refine their practices. Cybercriminals are continually seeking vulnerabilities and ways to exploit them. This family helps organizations stay current to limit the potential impact of emerging threats.
5. Configuration Management
Misconfiguration can lead to significant vulnerabilities in cybersecurity systems. Through a misconfigured database, for example, users may be able to find sensitive data with just a web search, without authentication.
This set of controls helps organizations set out configuration management policies to ensure that something like this doesn’t happen to them.
Among the issues, this set of controls addresses is the management of unknown devices. Organizations require written policies regarding how they treat unknown, unvetted devices to protect the integrity of information systems.
6. Contingency Planning
In cybersecurity, contingency planning involves preparing for potential system failures and data breaches. While many cybersecurity practices focus on preventing cyber attacks, contingency planning helps organizations function even after the worst has happened.
These controls help organizations create formal contingency plans that help them restore normal operations as quickly and efficiently as possible. The systems by which this is achieved include data backups and the use of cloud-based storage solutions.
Alternate sites are also a consideration at this stage, so these control groups help businesses face the possibility of having to relocate due to an incident. They also help companies to create policies and procedures for testing contingency plans, which is essential to their successful, efficient implementation during a crisis.
7. Identification and Authentication
These controls are all about identifying both users and their devices. Identifying users typically occurs via a username or email address and provides information on who is on the system.
Authentication is frequently but not exclusively managed by passwords. Other forms of authentication include voice recognition and fingerprint scans.
Identification and authentication security controls can help improve user management policies to protect sensitive data more effectively.
8. Incident Response
This set of controls helps organizations with training and other preparations for a cyber security incident. It includes standards for the creation of a documented incident response plan. This should comprise specific incidents that could occur and impact the organization, as identified and assessed during the risk management process.
Specific incidents might include a ransomware attack, a data breach by an insider, or a distributed denial-of-service (DDoS) attack. Businesses will have different primary risks according to size, sector, location, and other variables.
Cybersecurity maintenance controls refer to software and hardware maintenance. Updates ensure that software is patched and that hardware is fully functional, preventing downtime and offering remediating vulnerabilities.
Proper maintenance requires a software and hardware audit policy to ensure maintenance is not left to chance. The maintenance policy should identify who is responsible for maintenance and their key responsibilities.
10. Media Protection
Media protection controls refer to the policies on how an organization uses media and how the files are stored. It needs to cover how and when they are destroyed. This set of controls helps organizations establish written procedures to ensure data protection by preventing things from slipping between the cracks, which could lead to data leaks or data breaches.
11. Physical and Environmental Protection
Mitigating threats via physical security policies and procedures is vital but sometimes eclipsed by software solutions when organizations enhance their cybersecurity.
Physical and environmental protections include:
- Locking doors
- Using CCTV
- Implementing a badge system for staff and visitors
This control family helps organizations monitor their visitors to control physical access and assists organizations in detailing their intended response to physical threats. These responses might include relocation to alternative facilities or switching to emergency power sources.
Physical security and protection of the environment are essential cybersecurity considerations because they can mitigate vulnerabilities and help limit access to the most sensitive information.
Here, planning focuses organizations on plans for information security and data privacy. It’s an essential step before implementing any new system as it helps organizations determine needs and expectations, maximizing effectiveness and minimizing cost and disruption. Planning controls extend to network architecture, management, and configuration.
13. Program Management
Program management examines information security, risk management, and critical infrastructure planning. The crux is that it’s not enough to create documents covering these areas, although some businesses stop there, feeling that they have fulfilled their cybersecurity requirements.
14. Personnel Security
This set of controls looks at an organization’s personnel and how they affect cybersecurity. Insider threat comes from anyone with (or who has had) authorized access to an organization’s resources or knowledge of those resources, such as information systems, access credentials, and personnel.
While much of cybersecurity can be outward facing, it is essential to mitigate potential risks from bad actors internal to the organization. These controls acknowledge that different employees have different exposures to risk and different information access needs. The family helps organizations develop sufficient policies and procedures regarding personnel to protect information security.
15. Personally Identifiable Information (PII) Processing and Transparency
Using PII has become a necessity for most modern businesses, but losing PII in a data breach can be damaging in terms of financial loss and lost reputation. This essential family helps organizations face the risk of collecting, storing, and transmitting PII, focusing on ways to lower the risk associated with this sensitive information. These controls help organizations protect data by managing PII through consent and privacy policies.
16. Risk Assessment
Assessing system vulnerabilities and estimating their likelihood and potential impact is key to developing or enhancing cybersecurity. Not all risks are equal, depending on multiple factors, such as the business's size, industry, and geographic location. The geographic location is important because some areas are more prone to specific cyber attacks than others.
With an understanding of what risks exist, their likelihood, and their potential impact, organizations can prioritize and determine realistic risk response procedures.
17. System and Services Acquisition
This set of control families refers to allocating resources and creating safe acquisition processes.
Integrating new systems and devices requires care. Organizations must protect the existing infrastructure by avoiding introducing new threats, such as pre-existing malware and configuration issues. Achieving this necessitates careful, controlled implementation to ensure continued security.
This set of controls is particularly useful because it helps ensure system-wide data integrity. It also points to training to ensure this critical aspect of cybersecurity occurs safely, testing for vulnerabilities, and continual system monitoring.
18. System and Communications Protection
Implementation and management of collaborative devices is the remit of this cybersecurity control family. It helps organizations develop rules to establish boundary protection, access control, partitions, and restrictions on usage. The system and communications protection control family also helps organizations manage cryptography implementation.
19. System and Information Integrity
These controls help maintain the integrity of information systems by protecting them from malware and other attacks that can compromise information systems. System-wide monitoring is required to ensure integrity at all times.
20. Supply Chain Risk Management
Supply chain risk is an organization’s risk not only from suppliers (third-party risk) but from their suppliers’ suppliers (fourth-party risk). Getting a grip on the scope of third- and fourth-party risks can be a significant challenge.
This set of controls helps firms look at how they can assess their suppliers and manage and mitigate the associated risks. It will help companies develop or implement ways to inspect supply chain systems and components and perform essential third-party risk management.