NIST 800-161 rev. 1: How to build a cyber risk management program

Is your company required to implement a supply chain or third-party risk management program due to a U.S. federal contract or subcontract? Are you seeking to follow proven, well accepted standards to build or improve your TPRM program?  If the answer is yes to either question, check out this overview of the latest update to NIST 800-161 that provides specific guidance for building a cyber security supply chain risk management or third-party risk management program. 

What is NIST SP 800-161? 

NIST SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations, is NIST’s (National Institute of Standards and Technology) latest guidance on managing supply chain security risks that can be utilized by organizations of any sector or size. The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multi-level, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM activities, enterprise risk function alignment, as well as guidance for risk assessments for products and services. It also includes new controls and metrics for C-SCRM and updated guidance on risk appetite and risk tolerance. 

NIST has several special publications that include guidance for organizations to implement processes to identify, assess and manage supply chain risk. These NIST publications include: 

  • SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 

  • NIST SP 8276: Key Practices in Cyber Supply Chain Risk Management: Observations from Industry 

Many NIST publications complement or reference each other allowing you to map standards, guidance, recommendations, or specific control details between publications.  For example, NIST 800-161 Rev 1 can easily be mapped to NIST CSF 1.1 Supply Chain (SC) requirements, ID.SC: 1-5 

NIST 800-161 Rev. 1 was created by NIST in direct response for U.S. Executive Order 14028 to Publish Guidelines for Enhancing Software Supply Chain Security. 

NIST is a U.S. government agency that develops and manages information security standards. These standards help to secure the information of U.S. government agencies and private industry.  NIST also works closely with the Cybersecurity Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security. 

How can NIST 800-161 help my C-SCRM or TPRM program? 

Cybersecurity risks in the supply chain include those arising from a supplier’s enterprise, its products & services, or the supplier’s own suppliers and supply chains. With each downstream supply chain relationship dependency, each acquiring organization loses visibility, understanding and control of its associated supply chain risks. You could think of NIST 800-161 Rev. 1 as a how-to-guide or playbook for building or improving a C-SCRM or TPRM program to address these supply chain risks. At 326 pages, it is loaded with guidance and supplemental resources for developing key practices, polices, procedures and strategies for managing exposure to cybersecurity risks throughout a company’s supply chain. The C-SCRM practices and strategies provided can be utilized whether you’re building a new program or enhancing an existing one. 

Audience profiles 

C-SCRM is an enterprise level activity involving multiple groups or teams, which is why the publication is divided into sections based on reader profiles or roles found within a typical organization making it easier to apply to specific teams or groups. High level audience sections include: 

  • Enterprise – Executive Leaders (Strategy, Governance, Enterprise Risk Management) 

  • Business Process & Mission – C-SCRM/Supplier Management (Polices, Procedures, Implementation Plans) 

  • Operations – System Owners/Technical/Developers (Adhere to C-SCRM requirements)

Key practices 

Key practices are divided into three categories by level of maturity: Foundational, Sustaining and Enhanced. C-SCRM implementations should be tailored to what is applicable and appropriate given their unique context such as compliance requirements, available resources, and risk profile etc. A few key practices are summarized here. Detailed practices are provided in section 3.4 of the publication. 

Foundational practices 

Some practices and actions that support building a base level C-SCRM capability include: 

  • Obtain senior leadership support for establishing C-SCRM. 

  • Implement a risk management hierarchy and process. 

  • Develop a process to measure the criticality of the organization's suppliers, products, and services. 

  • Integrate C-SCRM into products and services acquisition policies and procedures. 

  • Use supplier risk assessment processes on prioritized basis, incorporating threat and vulnerability analyses. 

  • Establish collaborative structures and processes for supply chain, cybersecurity, product security, physical security, and other relevant roles and processes. 

  • Monitor components of embedded software. 

  • Implement quality assurance and quality control processes. 

  • Establish internal checks to ensure compliance with security requirements. 

  • Implement a security incident response plan that includes incidents that originate from the cybersecurity supply chain. 

Sustaining practices 

A few more advanced practices that enable organizations to mature C-SCRM processes include:  

  • Assess supplier security capabilities and practices via surveys and formal certifications (e.g., ISO27001, SOC 2 etc.) 

  • Periodically reassess and continuously monitor for changes to the risk profile of supplier products and services and the supply chain itself. 

  • Integrate C-SCRM requirements into contractual agreements with suppliers and service providers. 

  • Involve critical suppliers in incident response and contingency plans. 

  • Coordinate with enterprise cybersecurity program leadership to elevate top C-SCRM risks to the most senior enterprise risk committee. 

  • Integrate C-SCRM into every aspect of the system and product life cycle, with consistent, well-documented, repeatable processes for systems engineering, cybersecurity practices, and acquisition. 

  • Collecting C-SCRM metrics. 

Enhancing practices 

These enhanced practices refer to the use of automation and analytics and include: 

  • Automate C-SCRM processes where possible. 

  • Analyze risk quantitatively with probabilistic approaches to determine the likelihood and impact of cybersecurity issues throughout the supply chain. 

  • Apply insights gained from leading C-SCRM metrics (forward-looking indicators) to shift from reactive to predictive C-SCRM strategies and plans that adapt to risk profile changes before they occur. 

How can RiskRecon by Mastercard help?  

NIST C-SCRM risk management guidance can help your organization, but it can also be challenging to implement, especially in the early stages. With RiskRecon, you can get help assessing the cyber health of your organization’s supply chain security and learn what areas need the most attention. Check out RiskRecon today and start a 30-day trial to see how we can help you address your organization’s supply chain risk management needs.