NIST SP 800-161

United States

vRev 1

14 domains

34 controls

Cybersecurity Supply Chain Risk Management Practices

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (14)

Acquisition and Procurement

3 controls

Controls in the Acquisition and Procurement domain of NIST SP 800-161 — 3 controls
Code	Title	Description
SCRM-ACQ-1	Acquisition Process Integration	Integrate C-SCRM requirements into acquisition processes including requirements definition, source selection, contractin...
SCRM-ACQ-2	Supplier Security Requirements	Define and enforce baseline security and supply chain requirements for suppliers, tailored to criticality and the nature...
SCRM-ACQ-3	Flow-Down to Sub-Tier Suppliers	Require prime suppliers to flow down C-SCRM obligations to sub-tier suppliers commensurate with criticality and risk.

Components and Services

3 controls

Controls in the Components and Services domain of NIST SP 800-161 — 3 controls
Code	Title	Description
SCRM-COMP-1	Component Authenticity	Verify the authenticity of hardware and software components received, including the use of authorised resellers, signatu...
SCRM-COMP-2	Software Bill of Materials Use	Obtain and use a software bill of materials for acquired and produced software to support vulnerability management, lice...
SCRM-COMP-3	Provenance and Pedigree Tracking	Track the provenance and pedigree of critical components and services throughout the supply chain, supporting decisions...

Enterprise Governance

3 controls

Controls in the Enterprise Governance domain of NIST SP 800-161 — 3 controls
Code	Title	Description
SCRM-GOV-1	C-SCRM Governance Structure	Establish an enterprise governance structure for cyber supply chain risk management with executive sponsorship, decision...
SCRM-GOV-2	C-SCRM Policy Framework	Maintain a policy framework that defines requirements for cyber supply chain risk management across acquisition, operati...
SCRM-GOV-3	C-SCRM Strategy and Implementation Plan	Develop a C-SCRM strategy and implementation plan that defines goals, scope, roles, milestones, and resources for the pr...

Incident and Response

2 controls

Controls in the Incident and Response domain of NIST SP 800-161 — 2 controls
Code	Title	Description
SCRM-INC-1	Supply Chain Incident Response	Integrate supply chain considerations into incident response, including supplier notifications, evidence preservation, a...
SCRM-INC-2	Vulnerability Disclosure and Response in Supply Chain	Operate vulnerability disclosure and response practices that cover acquired components and supplier services, including...

NIST SP 800-161: Access Control

5 controls

Logical and physical access controls (NIST SP 800-161)

Controls in the NIST SP 800-161: Access Control domain of NIST SP 800-161 — 5 controls
Code	Title	Description
SP800-161-CONTROLS-AC	ICT SCRM Control Family: Access Control	Supply-chain-tailored access control requirements for systems, components, and supplier interactions.
SP800-161-CONTROLS-SA	ICT SCRM Control Family: System and Services Acquisition	Acquisition controls addressing supplier requirements, development practices, and component authenticity.
SP800-161-CONTROLS-SR	ICT SCRM Control Family: Supply Chain Risk Management	Dedicated supply chain risk management controls including the C-SCRM plan, supplier assessments, and component tamper re...
SP800-161-INCIDENT	Supply Chain Incident Management	Detect, respond to, and recover from incidents that originate in or propagate through the ICT supply chain.
SP800-161-PROVENANCE	Provenance and Traceability	Establish and maintain the provenance of systems, components, and data, tracking changes and the chain of custody throug...

NIST SP 800-161: Asset Management

5 controls

Information asset management (NIST SP 800-161)

Controls in the NIST SP 800-161: Asset Management domain of NIST SP 800-161 — 5 controls
Code	Title	Description
SP800-161-CRITICALITY	Criticality Analysis	Identify mission-critical functions and components to prioritize ICT supply chain risk management activities and control...
SP800-161-FOUND-PRACTICES	Foundational ICT SCRM Practices	Implement foundational practices such as a C-SCRM program, supplier relationships, and integration with enterprise risk...
SP800-161-MONITOR	Risk Process: Monitor	Monitor ICT supply chain risk over time, including changes to suppliers, products, and the threat environment, and the e...
SP800-161-RESPOND	Risk Process: Respond	Select and implement courses of action (accept, avoid, mitigate, share, or transfer) to address identified ICT supply ch...
SP800-161-SUPPLIER	Supplier Relationship Management	Establish and manage agreements, requirements, and oversight of suppliers, developers, system integrators, and external...

NIST SP 800-161: Communications Security

0 controls

Network and communications security (NIST SP 800-161)

NIST SP 800-161: Cryptography

0 controls

Cryptographic controls (NIST SP 800-161)

NIST SP 800-161: Information Security Policies

5 controls

Organizational information security policies (NIST SP 800-161)

Controls in the NIST SP 800-161: Information Security Policies domain of NIST SP 800-161 — 5 controls
Code	Title	Description
SP800-161-ASSESS	Risk Process: Assess	Identify and evaluate ICT supply chain threats, vulnerabilities, likelihood, and impact to determine supply chain risk.
SP800-161-FRAME	Risk Process: Frame	Establish the context and assumptions for ICT supply chain risk decisions, including constraints, risk tolerance, and pr...
SP800-161-TIER1	Multitiered Risk: Tier 1 (Organization)	Establish organization-wide ICT SCRM governance, strategy, risk appetite, and policy at the organization tier.
SP800-161-TIER2	Multitiered Risk: Tier 2 (Mission/Business Process)	Integrate ICT SCRM into mission and business process design, including the criticality of functions and the acquisition...
SP800-161-TIER3	Multitiered Risk: Tier 3 (Information Systems)	Apply ICT SCRM controls to individual information systems and their components across the system development lifecycle.

NIST SP 800-161: Operations Security

0 controls

Secure operations and monitoring (NIST SP 800-161)

Programme Measurement

1 controls

Controls in the Programme Measurement domain of NIST SP 800-161 — 1 controls
Code	Title	Description
SCRM-MEAS-1	C-SCRM Metrics and Reporting	Measure C-SCRM programme effectiveness using defined metrics and report results to governance bodies and executive spons...

Resilience

2 controls

Controls in the Resilience domain of NIST SP 800-161 — 2 controls
Code	Title	Description
SCRM-RES-1	Supply Chain Resilience and Continuity	Plan and prepare for disruption of critical supply chains through alternates, stockpiles, contractual recovery commitmen...
SCRM-RES-2	Supply Chain Information Sharing	Participate in supply chain information sharing with sector partners, government, and industry communities to improve co...

Risk Management

2 controls

Controls in the Risk Management domain of NIST SP 800-161 — 2 controls
Code	Title	Description
SCRM-RM-1	Supply Chain Risk Assessment	Perform supply chain risk assessments at enterprise, mission, and system levels that consider threats, vulnerabilities,...
SCRM-RM-2	Criticality Analysis	Identify critical systems, components, services, and suppliers whose compromise would significantly impact mission and p...

Supplier Management

3 controls

Controls in the Supplier Management domain of NIST SP 800-161 — 3 controls
Code	Title	Description
SCRM-SUP-1	Supplier Due Diligence	Conduct due diligence on suppliers prior to award and at defined intervals, including security posture, ownership, forei...
SCRM-SUP-2	Continuous Supplier Monitoring	Continuously monitor suppliers using a combination of attestations, evidence reviews, external signals, and incident not...
SCRM-SUP-3	Supplier Performance and Issue Management	Track supplier performance against security and C-SCRM obligations and manage issues to closure with documented escalati...

Maps to 1 other framework

34 total controls

NIST SP 800-53 Rev 5

15 source controls mapped|11 target controls covered

44%

Compare NIST SP 800-161 with NIST SP 800-53 Rev 5

Frequently Asked Questions

What is NIST SP 800-161?

NIST SP 800-161 is a compliance framework from United States with 14 domains and 34 controls. Cybersecurity Supply Chain Risk Management Practices It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-161 have?

NIST SP 800-161 has 34 controls organised across 14 domains. The largest domains are NIST SP 800-161: Access Control (5 controls), NIST SP 800-161: Asset Management (5 controls), NIST SP 800-161: Information Security Policies (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-161 map to?

NIST SP 800-161 maps to 1 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (44% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with NIST SP 800-161 compliance?

Start your NIST SP 800-161 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-161 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 34 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required