NIST Special Publication 800 NIST SP 800 -161r1 -upd1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Jon Boy ens Angela Smith Nadya Bartol Kris Winkler Alex Holbrook Matthew Fallon This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800- 161r1-upd1 NIST Special Publication 800 NIST SP 800 -161r1 -upd1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Jon Boyens Angela Smith Computer Security Division Information Technology Laboratory Nadya Bartol Kris Winkler Alex Holbrook Matthew Fallon Boston Consulting Group This publication is available free of charge from: https://doi.org /10.6028/NIST.SP.800- 161r1-upd1 May 2022 INCLUDES U PDATES AS OF 11-01-2 024; SEE A PPENDIX K U .S. Department of Commerce Gina M. Raimondo, Secretary National Institute of Standards and Technology Laurie E. Locascio, NIST Director and Under S ecretary of Commerce for Standards and Technology NIST SP 800- 161r1-upd1 Cybersecurity Supply Chain Risk Management May 2022 Practices for Systems and Organizations Certain equipment, instruments , software, or materials, c ommercial or non -commercial, ar e identified in t his paper i n order to s pecify the experimental procedure adequately. Suc h identificatio n does not i mply recommendatio n or endorsement of any product or service by NIST, nor does it i mply t hat the materials o r equipment i dentifie d are necessarily the best av ailable f or the purpose . There may be references i n this publication to other publications currentl y under development by N IST in accordance with it s assigned statutory re sponsibilities. The information in t his publication, including concept s and methodologies, may be used by federal agencies e ven before t he completion of suc h companion publications. Thus, until e ach publicatio n is com pleted, current r equirements, guidelines, a nd procedures, where they exist, remai n operative. For plannin g an d transition purposes, f ederal ag encies may wish to closely follow the development of these new p ublications by NIST. Organizations are encourage d to r eview all draft publications during public comment periods and provide f eedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at https://csrc.nist.gov/publications . Authority This publ ication has bee n develope d by NIST i n accordance with its statutor y responsibilities under the F ederal Information Security Modernization Act ( FISMA ) of 2014, 4 4 U.S.C. § 3551 et s eq., Publi c Law (P.L. ) 113- 283. NIST is responsible f or developing information securit y standards a nd guidelines, i ncluding m inimum requirements f or federal information systems, but s uch standards an d guidelines shall not apply t o national security systems without the express approval of appropriate federal officials exercising policy a uthority ove r such sy stems. Th is guideline is consistent with t he requirements of the Office of Management a nd Budget (OMB) Ci rcular A-130. Nothin g in t his pu blication shoul d be t aken to contradict t he standards a nd guidelines made mandator y and binding on federal agencies by the Secretary of Com merce under s tatutor y authority. N or should t hese guidelines be interpreted as altering or supersed ing the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in t he Unite d States. Attributio n would, however, be appreciated by NIST. NIST Technical Series Policies Copyright, U se, an d Licensing Statements NIST T echnical Series Publication Identifier Syntax Publication History Approve d by the N IST Editorial Review Board on 2024 -09-25 Supersedes NIST Special P