Authoritative Sources On C-SCRM

It is important to understand that the US National Institute of Standards and Technology (NIST) is the authoritative source on C-SCRM-related matters and provides authoritative guidance on the subject for the US Government:

  • Section 1323 of the Secure Technology Act tasked NIST with identifying and recommending development of "supply chain risk management standards, guidelines, and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks..."

  • Section 201.301(d) of the Federal Acquisition Supply Chain Security Act (FASCSA) requires the Federal Acquisition Security Council (FASC) to consultation with NIST and participate in FASC activities as a member to advise the FASC on NIST standards and guidelines issued under 40 U.S.C. 11331, including ensuring that any recommended orders do not conflict with such standards and guidelines.

Essentially, this establishes NIST as the de facto authoritative source for SCRM-related matters for the US Government.

Primary Sources For C-SCRM Practices

The following sources are foundational to the concept of SCRM. This is dominated by NIST publications.

NIST SP 800-161 R1

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Link - NIST 800-161.png

NIST SP 800-161 is the primary source for the US Government's guidance on the topic of SCRM.


note: an updated version is expected to be released sometime in 2021. 

NIST IR 8286

Integrating Cybersecurity and
Enterprise Risk Management (ERM)

Link - NIST IR 8286.png

NIST IR 8286 is intended to help improve cybersecurity risk management practices as part of an organization's overall Enterprise Risk Management (ERM) program.

NIST SP 800-53 R5

Security and Privacy Controls for Information Systems and Organizations

Link - NIST 800-53.png

NIST SP 800-53 is the US Government's primary source of cybersecurity and privacy controls. Nearly all controls from NIST SP 800-161 are sourced from NIST SP 800-53 R4.

NIST IR 8276

Key Practices in Cyber Supply Chain
Risk Management: Observations from Industry

Link - NIST IR 8276.png

NIST IR 8276 is a "C-SCRM best practices guide" that can be used to implement a robust C-SCRM program or function at an organization of any size, scope, or complexity, based on information gathered during the 2015 and 2019 NIST research initiatives.

Supporting Sources For SCRM Practices

The following sources generally build off of the concepts established by the NIST publications listed above.

Link - CISA SCRM Essentials.png

Infographic "leader's guide" on SCRM from the Cybersecurity and Infrastructure Security Agency (CISA).

USCC - 2020 Annual Report To Congress

Link - 2020 Report to Congress.png

2020 Annual Report To Congress from the US-China Economic and Security Review Commission.

Supply Chain Risk Management: Reducing Threats to Key US Supply Chains

Link - SCRM NCSC.png

Short publication from the National Counterintelligence and Security Center (NCSC) on key threats to the US supply chain.

Planning for the Inevitable: The Role of the Federal Supply Chain in Preparing for National Emergencies

Link - IBM SCRM.png

SCRM-related planning from the IBM Center for The Business of Government

Supply Chain Vulnerabilities from China in US Federal Information and Communications Technology

Link - US CESRC Report.png

2018 report from the US-China Economic and Security Review Commission.