Skip to main content

NIST SP 800-161: Cybersecurity Supply Chain Risk Management

NIST SP 800-161 Rev. 1 provides guidance for cybersecurity supply chain risk management (C-SCRM) across systems, products, services, suppliers, and organizational risk-management activities. It is directly relevant when supplier assurance, procurement, product or service acquisition, dependency risk, or supplier governance is the reason for action.

For supply chain security, the practical question is not only whether an organization has a supplier risk process. It is whether supplier, product, service, dependency, and acquisition risks are identified, assessed, mitigated, monitored, and supported by evidence that can be reviewed later.

This page focuses only on the parts of NIST SP 800-161 that drive supply chain security controls and evidence. It is not a complete implementation guide for the publication.

Source status

This page is based on NIST SP 800-161 Rev. 1 Update 1 and was last reviewed against the official NIST publication page on 2026-07-01. It interprets supply chain security implications for this handbook and is not a complete C-SCRM implementation guide.

Official references

Use the official NIST sources for the publication text, updates, errata, and citation details.

Who should care

This page is relevant to:

  • Procurement, supplier assurance, risk, and governance teams defining supplier evidence requirements.
  • Product and service owners assessing supplier, dependency, component, software, firmware, or managed-service risk.
  • Suppliers asked to explain how they manage their own supply chain and sub-tier dependencies.
  • Audit, assurance, and compliance teams reviewing C-SCRM evidence, risk decisions, and mitigation plans.

Scope and supply chain relevance

NIST SP 800-161 is centerd on C-SCRM: identifying, assessing, and mitigating cybersecurity risks throughout supply chains. For this handbook, its value is the operating model it gives to supplier and dependency assurance work.

SP 800-161-relevant work usually centers on supplier criticality, acquisition and procurement requirements, supplier risk assessment, sub-tier visibility, dependency risk, counterfeit or compromised products and services, risk response, monitoring, and coordination across organizational risk-management processes.

For supply chain security, scope questions usually become evidence questions:

  • Which suppliers, products, services, components, software, firmware, or dependencies are critical to the decision?
  • What risks are being assessed: counterfeit, malicious functionality, vulnerable components, weak development practices, weak manufacturing practices, compromised services, or dependency concentration?
  • What supplier evidence, acquisition records, risk decisions, mitigation plans, exceptions, and review cadence need to be retained?

This page does not attempt to apply the whole C-SCRM program to every organization. It highlights the supply chain security work that SP 800-161 can drive when a team needs a supplier and dependency risk-management model.

Relationship to other standards and drivers

SP 800-161 is supply-chain-risk-management-led. It asks whether cybersecurity risks from suppliers, products, services, systems, and dependencies are managed as part of governed risk management.

It may interact with:

  • NIS2, where regulated customers need governed supplier and supply chain risk management.
  • EU Cyber Resilience Act, where product manufacturers need supplier and component evidence for products with digital elements.
  • NIST SSDF, where supplier software and secure-development evidence is requested.
  • IEC 62443, where industrial product, component, patching, and lifecycle evidence is requested.
  • SBOM/VEX expectations, procurement frameworks, and customer assurance requirements.
  • Practices & Controls that operate supplier assurance, product acceptance, vulnerability management, lifecycle monitoring, and audit readiness.

Threats and failure modes addressed

SP 800-161-relevant practices can help reduce supply chain failures such as:

  • critical suppliers or dependencies are unknown or unassessed
  • supplier risk is treated as a one-time questionnaire rather than a managed lifecycle risk
  • procurement requirements do not include security or evidence expectations
  • sub-tier dependencies remain opaque
  • counterfeit, tampered, vulnerable, or unsupported products and services are accepted without review
  • supplier incidents are not escalated or coordinated
  • risk acceptance and mitigation decisions are not retained
  • supplier assurance evidence is stale, generic, or not tied to the decision

SP 800-161 expectations mapped to supply chain controls and evidence

SP 800-161-related expectationSupply chain threat or failure modePractices & controlsEvidence to retain or request
Supplier criticality and risk assessment
SP 800-161 § 2.2
Critical suppliers, services, products, or dependencies are not identified before procurement or continued use.Supplier inventory, criticality assessment, risk review, renewal review.Supplier inventory, criticality ratings, supplier risk assessments, review records, renewal decisions.
Procurement and acquisition security requirements
SP 800-161 § 3.1
SP 800-161 SR-5
Security expectations are added after purchase or are not tied to acceptance criteria.Procurement security requirements, contractual evidence clauses, product or service acceptance criteria.Security clauses, evidence requirements, acceptance criteria, procurement review records, supplier commitments.
Supplier assurance and monitoring
SP 800-161 SR-6
Supplier claims are accepted without artifacts, verification paths, review cadence, or remediation tracking.Supplier assurance review, supplier evidence requirements, supplier remediation tracking.Questionnaires with supporting artifacts, audit reports, product-scoped evidence, review records, remediation plans.
Dependency and sub-tier visibility
SP 800-161 SR-3
Product, service, software, component, or sub-tier dependencies are hidden until incident or vulnerability response.Dependency inventory, sub-tier declaration, supplier responsibility matrix, component visibility.SBOM/xBOM, dependency inventory, sub-tier declaration, supplier responsibility matrix, support and ownership records.
Risk response and exception handling
SP 800-161 § 2.3
SP 800-161 SR-2
Risks are discussed but not mitigated, accepted, escalated, or reviewed.Risk response workflow, exception process, mitigation planning, review cadence.Risk acceptance records, mitigation plans, exception records, owner and due-date records, periodic review notes.
Supplier incident and coordination planning
SP 800-161 SR-8
Supplier incidents do not trigger timely notification, escalation, or coordinated response.Supplier incident notification clauses, escalation contacts, incident coordination process.Notification clauses, escalation contacts, incident reports, supplier communications, post-incident review records.

What to do next