This is a potential security issue, you are being redirected to https://csrc.nist.gov.
You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.
Date Published: October 30, 2024
Comments Due: December 16, 2024 (public comment period is CLOSED)
Email Questions to:
[email protected]
Supply chain risk assessments start with due diligence. Acquirers who make procurement decisions need to be informed about potential supplier risks before those decisions are executed. Consequently, many acquisition operating procedures strongly recommend or even require an assessment of a supplier’s risk prior to entering into an agreement with them.
Based on the widely adopted content in NIST Special Publication (SP) 800-161r1, this new draft Quick-Start Guide proposes an implementation-ready approach to conducting the minimum amount of investigative rigor on potential suppliers. Identifying the primary risk factors that an acquirer should consider can enable quick turnarounds with limited resources.
Due diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program capabilities with considerations for creating due diligence supply chain risk assessments in accordance with NIST Special Publication (SP) 800-161r1 (Revision 1). While due diligence supplier assessments can be applied to any type of supplier, this Quick-Start Guide is scoped to information and communications technology (ICT) suppliers. The components of a Due Diligence Assessment are Supply Chain Tiers; Foreign Ownership, Control, or Influence (FOCI); Provenance; Stability; and Foundational Cyber Practices.
Due diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program capabilities with considerations for creating due diligence supply chain risk assessments in accordance with NIST Special Publication (SP) 800-161r1 (Revision 1). While due diligence supplier assessments can be applied to any type of supplier, this Quick-Start Guide is scoped to information and communications technology (ICT) suppliers. The components of a Due Diligence Assessment are Supply Chain Tiers; Foreign Ownership, Control, or Influence (FOCI); Provenance; Stability; and Foundational Cyber Practices.
Risk Assessment; Supply Chain Risk Management
Publication:
https://doi.org/10.6028/NIST.SP.1326.ipd
Download URL
Supplemental Material:
NIST C-SCRM Project
Document History:
10/30/24: SP 1326 (Draft)