NIST SP 800-161r1 Compliance

CA-2 (2) Control Assessments | Specialized Assessments
Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Enterprises should use various assessment techniques and methodologies, such as continuous monitoring, insider threat assessment, and malicious user assessment. These assessment mechanisms are context-specific and require the enterprise to understand its supply chain and define the required set of measures for assessing and verifying that appropriate protections have been implemented.

CA-2 (3) Control Assessments | Leveraging Results from External Organizations
Organizations may rely on control assessments of organizational systems by other (external) organizations.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: For C-SCRM, enterprises should use external security assessments for suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. External assessments include certifications, third-party assessments, and – in the federal context – prior assessments performed by other departments and agencies. Certifications from the International Enterprise for Standardization (ISO), the National Information Assurance Partnership (Common Criteria), and the Open Group Trusted Technology Forum (OTTF) may also be used by non-federal and federal enterprises alike if such certifications meet agency needs.

CP-2 (7) Contingency Plan | Coordinate with External Service Providers
Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Enterprises should define and implement a contingency plan for the supply chain information systems and network to ensure that preparations are in place to mitigate the loss or degradation of data or operations. Contingencies should be put in place for the supply chain, network, information systems (especially critical components), and processes to ensure protection against compromise and provide appropriate failover and timely recovery to an acceptable state of operations.

IR-4 (10) Incident Handling | Supply Chain Coordination
Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: A number of enterprises may be involved in managing incidents and responses for supply chain security. After initially processing the incident and deciding on a course of action (in some cases, the action may be “no action”), the enterprise may need to coordinate with their suppliers, developers, system integrators, external system service providers, other ICT/OT-related service providers, and any relevant interagency bodies to facilitate communications, incident response, root cause, and corrective actions. Enterprises should securely share information through a coordinated set of personnel in key roles to allow for a more comprehensive incident-handling approach. Selecting suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers with mature capabilities for supporting supply chain cybersecurity incident handling is important for reducing exposure to cybersecurity risks throughout the supply chain. If transparency for incident handling is limited due to the nature of the relationship, define a set of acceptable criteria in the agreement (e.g., contract). A review (and potential revision) of the agreement is recommended, based on the lessons learned from previous incidents. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors.

IR-5 Incident Monitoring
Track and document incidents.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Enterprises should ensure that agreements with suppliers include requirements to track and document incidents, response decisions, and activities.

IR-6 (3) Incident Reporting | Supply Chain Coordination
Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Communications of security incident information from the enterprise to suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers and vice versa require protection. The enterprise should ensure that information is reviewed and approved for sending based on its agreements with suppliers and any relevant interagency bodies. Any escalation of or exception from this reporting should be clearly defined in the agreement. The enterprise should ensure that incident reporting data is adequately protected for transmission and received by approved individuals only. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors.

IR-8(1) Incident Response Plan | Breaches
Include the following in the Incident Response Plan for breaches involving personally identifiable information:
(a) A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
(b) An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and
(c) Identification of applicable privacy requirements.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:Enterprises should coordinate, develop, and implement an incident response plan that includes information-sharing responsibilities with critical suppliers, and, in a federal context, interagency partners and the FASC. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors.

PM-9 Risk Management Strategy
a. Develop a comprehensive strategy to manage:
1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and
2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information;
b. Implement the risk management strategy consistently across the organization; and
c. Review and update the risk management strategy as required, to address organizational changes.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: The risk management strategy should address cybersecurity risks throughout the supply chain.

PM-30 Supply Chain Risk Management Strategy
a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
b. Implement the supply chain risk management strategy consistently across the organization; and
c. Review and update the supply chain risk management strategy on an organization-defined frequency or as required, to address organizational changes.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: The Supply Chain Risk Management Strategy (also known as C-SCRM Strategy) should be complemented with a C-SCRM Implementation Plan that lays out detailed initiatives and activities for the enterprise with timelines and responsible parties. This implementation plan can be a POA&M or be included in a POA&M. Based on the C-SCRM Strategy and Implementation Plan at Level 1, the enterprise should select and document common C-SCRM controls that should address the enterprise, program, and system-specific needs.

PM 30 (1) Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-Essential Items
Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: See above.

PM-31 Continuous Monitoring Strategy
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:
a. Establishing organization-wide metrics to be monitored;
b. Establishing defined frequencies for monitoring and assessment of control effectiveness;
c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;
d. Correlation and analysis of information generated by control assessments and monitoring;
e. Response actions to address results of the analysis of control assessment and monitoring information; and
f. Reporting the security and privacy status of organizational systems to defined personnel.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: The continuous monitoring strategy and program should integrate C-SCRM controls.

RA-1 Policy and Procedures
Develop, document, and disseminate:
1. A risk assessment policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;
b. Designate an official to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and
c. Review and update the current risk assessment:
1. Policy and
2. Procedures.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Risk assessments should be performed at the enterprise, mission/program, and operational levels. The system-level risk assessment should include both the supply chain infrastructure (e.g., development and testing environments and delivery systems) and the information system/components traversing the supply chain. System-level risk assessments significantly intersect with the SDLC and should complement the enterprise’s broader RMF activities, which take part during the SDLC. A criticality analysis will ensure that mission-critical functions and components are given higher priority due to their impact on the mission if compromised. The policy should include supply chain-relevant cybersecurity roles that apply to performing and coordinating risk assessments across the enterprise (see Section 2 for the listing and description of roles). Applicable roles within suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers should be defined.

RA-2 (1) Security Categorization | Impact-Level Prioritization
Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Security categorization is critical to C-SCRM at Levels 1, 2, and 3. In addition to [FIPS 199] categorization, security categorization for C-SCRM should be based on the criticality analysis that is performed as part of the SDLC. See Section 2 and [NISTIR 8179] for a detailed description of criticality analysis.

RA-3 (1) Risk Assessment | Supply Chain Risk Assessment
(a) Assess supply chain risks associated with systems, components, and services; and
(b) Update the supply chain risk assessment when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Risk assessments should include an analysis of criticality, threats, vulnerabilities, likelihood, and impact, as described in detail in Appendix C. The data to be reviewed and collected includes C-SCRM-specific roles, processes, and the results of system/component and services acquisitions, implementation, and integration. Risk assessments should be performed at Levels 1, 2, and 3. Risk assessments at higher levels should consist primarily of a synthesis of various risk assessments performed at lower levels and used for understanding the overall impact with the level (e.g., at the enterprise or mission/function levels). C-SCRM risk assessments should complement and inform risk assessments, which are performed as ongoing activities throughout the SDLC, and processes should be appropriately aligned with or integrated into ERM processes and governance.

RA-3 (2) Risk Assessment | Use of All-Source Intelligence
Use all-source intelligence to assist in the analysis of risk.

RA-3 (3) Risk Assessment | Dynamic Threat Awareness
Determine the current cyber threat environment on an ongoing basis.

RA-3 (4) Risk Assessment | Predictive Cyber Analytics
Employ advanced automation and analytics capabilities to predict and identify risks.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: See RA-3 (1)

RA-7 Risk Response
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Enterprises should integrate capabilities to respond to cybersecurity risks throughout the supply chain into the enterprise’s overall response posture, ensuring that these responses are aligned to and fall within the boundaries of the enterprise’s tolerance for risk. Risk response should include consideration of risk response identification, evaluation of alternatives, and risk response decision activities.

RA-9 Criticality Analysis
Identify critical system components and functions by performing a criticality analysis at defined decision points in the system development life cycle.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Enterprises should complete a criticality analysis as a prerequisite input to assessments of cybersecurity supply chain risk management activities. First, enterprises should complete a criticality analysis as part of the Frame step of the C-SCRM Risk Management Process. Then, findings generated in the Assess step activities (e.g., criticality analysis, threat analysis, vulnerability analysis, and mitigation strategies) update and tailor the criticality analysis. A symbiotic relationship exists between the criticality analysis and other Assess step activities in that they inform and enhance one another. For a high-quality criticality analysis, enterprises should employ it iteratively throughout the SLDC and concurrently across the three levels. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should also refer to Appendix F to supplement this guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.

SR-1 Policy and Procedures
Develop, document, and disseminate:
1. A supply chain risk management policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;
b. Designate an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and
c. Review and update the current supply chain risk management:
1. Policy and
2. Procedures

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: C-SCRM policies are developed at Level 1 for the overall enterprise and at Level 2 for specific missions and functions. C-SCRM policies can be implemented at Levels 1, 2, and 3, depending on the level of depth and detail. C-SCRM procedures are developed at Level 2 for specific missions and functions and at Level 3 for specific systems. Enterprise functions including but not limited to information security, legal, risk management, and acquisition should review and concur on the development of C-SCRM policies and procedures or provide guidance to system owners for developing system-specific C-SCRM procedures.

SR-2 Supply Chain Risk Management Plan
a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems, system components, or system services
b. Review and update the supply chain risk management plan as required, to address threat, organizational or environmental changes; and
c. Protect the supply chain risk management plan from unauthorized disclosure and modification.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: C-SCRM plans describe implementations, requirements, constraints, and implications at the system level. C-SCRM plans are influenced by the enterprise’s other risk assessment activities and may inherit, and tailor common control baselines defined at Level 1 and Level 2. C-SCRM plans defined at Level 3 work in collaboration with the enterprise’s C-SCRM Strategy and Policies (Level 1 and Level 2) and the C-SCRM Implementation Plan (Level 1 and Level 2) to provide a systematic and holistic approach for cybersecurity supply chain risk management across the enterprise. C-SCRM plans should be developed as a standalone document and only integrated into existing system security plans if enterprise constraints require it.

SR-3 Supply Chain Controls and Processes
a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes in coordination with supply chain personnel;
b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events; and
c. Document the selected and implemented supply chain processes and controls in the supply chain risk management plan.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Section 2 and Appendix C of this document provide detailed guidance on implementing this control. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028 on Improving the Nation's Cybersecurity.

SR-4 (4) Provenance | Supply Chain Integrity – Pedigree
Employ controls and analyze to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Provenance should be documented for systems, system components, and associated data throughout the SDLC. Enterprises should consider producing SBOMs for applicable and appropriate classes of software, including purchased software, open-source software, and in-house software. SBOMs should be produced using only NTIA-supported SBOM formats that can satisfy [NTIA SBOM] EO 14028 NTIA minimum SBOM elements. Enterprises producing SBOMs should use [NTIA SBOM] minimum SBOM elements as framing for the inclusion of primary components. SBOMs should be digitally signed using a verifiable and trusted key. SBOMs can play a critical role in enabling organizations to maintain provenance. However, as SBOMs mature, organizations should ensure they do not deprioritize existing C-SCRM capabilities (e.g., vulnerability management practices, and vendor risk assessments) under the mistaken assumption that SBOM replaces these activities. SBOMs and the improved transparency they are meant to provide organizations are complementary capabilities, not substitutive ones. Organizations that may not appropriately ingest, analyze, and act on the data that SBOMs provide will likely not improve their overall C-SCRM posture. Federal agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028 on Improving the Nation's Cybersecurity.

SR-5 Acquisition Strategies, Tools, and Methods
Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Section 3 and SA controls provide additional guidance on acquisition strategies, tools, and methods. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028 on Improving the Nation's Cybersecurity.

SR-6 Supplier Assessments and Reviews
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Generally, an enterprise should consider any information pertinent to the security, integrity, resilience, quality, trustworthiness, or authenticity of the supplier or their provided services or products. Enterprises should consider applying this information against a consistent set of core baseline factors and assessment criteria to facilitate equitable comparison (between suppliers and over time). Depending on the specific context and purpose for which the assessment is being conducted, the enterprise may select additional factors. The quality of information (e.g., its relevance, completeness, accuracy, etc.) relied upon for an assessment is also an important consideration. Reference sources for assessment information should also be documented. The C-SCRM PMO can help define requirements, methods, and tools for the enterprise’s supplier assessments. Departments and agencies should refer to Appendix E for further guidance concerning baseline risk factors and the documentation of assessments and Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.

SR-8 Notification Agreements
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises; and results of assessments or audits.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: At minimum, enterprises should require their suppliers to establish notification agreements with entities within their supply chain that have a role or responsibility related to that critical service or product. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.

SR-13 Supplier Inventory
Develop, document, and maintain an inventory of suppliers that:
1. Accurately and minimally reflects the organization’s tier-one suppliers that may present a cybersecurity risk in the supply chain;
2. Is it at the level of granularity deemed necessary for assessing criticality and supply chain risk, tracking, and reporting;
3. Documents the following information for each tier one supplier (e.g., prime contractor): review and update supplier inventory.
i. Unique identify for procurement instrument (i.e., contract, task, or delivery order);
ii. Description of the supplied products and/or services;
iii. Program, project, and/or system that uses the supplier’s products and/or services; and
iv. Assigned criticality level that aligns with the criticality of the program, project, and/or system (or component of the system).
b. Review and update the supplier inventory.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance: Enterprises rely on numerous suppliers to execute their missions and functions. Many suppliers provide products and services in support of multiple missions, functions, programs, projects, and systems. Some suppliers are more critical than others, based on the criticality of missions, functions, programs, projects, and systems that their products and services support, and the enterprise’s level of dependency on the supplier. Enterprises should use criticality analysis to help determine which products and services are critical to determining the criticality of suppliers to be documented in the supplier inventory. See Section 2, Appendix C, and RA-9 for guidance on conducting criticality analysis.