NIST SP 800-161 aims to reshape supply chain risk management: What does it mean for government contractors?

On April 29, 2021 the National Institute of Standards and Technology (NIST) unveiled an initial public draft of its first major revision to Special Publication 800-161, Cyber Supply Chain Risk Management Practices for Systems and Organizations. The publication represents NIST’s flagship framework to evaluate supply chain security for federal agencies and has not been revised since its original publication in April 2015. While federal agencies were the intended audience for the original publication, NIST has stated that the revised framework is designed to be adapted by a wide variety of organizations in assessing supply chain risk management (SCRM) processes and controls.

 Federal contractors, in particular, are expected to reap benefits from the rollout of the revised publication. These organizations have been challenged in recent years to adapt their legal and compliance strategies to growing regulatory measures seeking to alleviate concerns over data security and vulnerabilities in the information and communications technology (ICT) supply chain. The call to resolve these issues has been accelerated by supply chain infiltrations like the SolarWinds event, cyber espionage by foreign governments and other unexpected events that have created supply chain bottlenecks and significant business continuity issues (e.g. the COVID-19 pandemic, the Suez Canal incident and the colonial pipeline cyberattack). Companies that work closely with the government are expected to be more vigilant than ever in protecting and ensuring the security of their supply chain.

 Understanding the criticality of this issue, federal contractors would be wise to consider the updates found in this latest draft revision and provide comment to NIST by the due date (June 14, 2021) in order to help shape the final publication. NIST anticipates releasing a second draft in September 2021 and a final version by April 2022.

 Specifically, the revision incorporates a number of important changes intended to reshape how federal agencies think about and monitor risks to increasingly complex and globally distributed supply chains. A summary of several important changes include:

• Conceptual refinements: Distinguishes between “supply chain” and “cyber supply chain” as distinct concepts, which may not have been previously apparent: