The National Institute of Standards and Technology (“NIST”) is seeking comments on its draft NIST SP 800-161 Rev. 1, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” published on April 29, 2021. The public comment period currently is open and concludes on June 14, 2021. NIST anticipates releasing a second draft in September 2021, with a final version anticipated to be released by April 2022.
Primarily, the updates to NIST SP 800-161 are focused on helping organizations identify, assess, and respond to cyber supply chain risks while remaining aligned with other fundamental NIST cybersecurity risk management guidance. The revision to NIST SP 800-161 is designed to incorporate next generation cyber supply chain risk management (“C-SCRM”) controls, strategies, policies, plans, and risk assessments into broader enterprise risk management activities through the application of a multi-level approach. The ultimate goal of these major updates is to provide implementation guidance in a “more modular and consumable manner for acquirers, suppliers, developers, system integrators, external system service providers, and other…
