The National Institute of Standards and Technology (“NIST”) is seeking comments on its second draft of NIST SP 800-161 Rev. 1, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” published on October 28, 2021. We previously discussed the release of the first draft here. The public comment period currently is open and concludes on December 3, 2021. NIST anticipates releasing a final version during the third quarter of 2022.

The first draft published April 29, 2021 preceded the release of President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity (discussed previously here), which was issued on May 12, 2021. Executive Order 14028 directed NIST – and several other agencies – to enhance cybersecurity through implementation of various initiatives, with emphasis on enhancing software supply chain security. NIST takes the Executive Order into account in this second draft, and incorporates preliminary guidelines with criteria for evaluating software security, evaluating the security practices of developers and suppliers, and identifying innovative tools or methods to demonstrate conformance with secure practices (see Appendix F, Preliminary Guidelines for Enhancing Software Supply Chain Security).

In addition to the preliminary software security guidelines, this revision focuses on guidance for organizations to identify, assess, and mitigate cybersecurity risks in the supply chain, and to incorporate next-generation cyber supply chain risk management (“C-SCRM”) controls into their risk management activities. It includes specific information regarding implementation of C-SCRM security controls and guidance regarding the integration of C-SCRM into enterprise-wide risk management processes. In line with the Executive Order and renewed emphasis on securing the government supply chain, NIST recommends that companies engage in both internal and external supply chain risk management activities, communicate and collaborate across enterprise levels, and engage with peers to exchange cybersecurity supply chain risk management insights.

Notably, the revised publication addresses how agencies should approach supply chain risk under the Federal Acquisition Supply Chain Security Act (“FASCSA”), pursuant to which the government may identify specific covered products and sources to be restricted in the government supply chain. Appendix E of the revised publication focuses on FASCA, providing additional guidance to federal agencies related to supply chain risk assessment factors, assessment documentation, risk severity levels, and risk response.

As mentioned, the comment period for this draft closes December 3, 2021. This revision contains key information regarding supply chain risk and controls that contractors will need to understand, as well as specific guidelines on enhancing software supply chain security as called for by Executive Order 14028. Significant government focus on cybersecurity, and particularly supply chain security, makes this a “must read” for contractors. We expect the publication will play a key role in forthcoming regulations and requirements. Thus, it is important that contractors and the private sector at large provide industry perspective as NIST seeks to finalize this guidance and address this issue of software supply chain security. More information on the commenting process can be found on the NIST website.