NIST SP 800-161 Rev 1

United States

3 domains

42 controls

NIST SP 800-161 Rev 1 Cybersecurity Supply Chain Risk Management Practices.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (3)

C-SCRM Strategy

4 controls

Controls in the C-SCRM Strategy domain of NIST SP 800-161 Rev 1 — 4 controls
Code	Title	Description
C-SCRM-PMO	C-SCRM Program Management Office	Establish a C-SCRM PMO or equivalent governance body responsible for execution, coordination, and reporting.
C-SCRM-POLICY	C-SCRM Policy	Develop, document, disseminate, and maintain a C-SCRM policy aligned with enterprise risk tolerance and applicable law.
C-SCRM-ROLES	C-SCRM Roles and Responsibilities	Define roles and responsibilities for C-SCRM across enterprise, mission, and operational tiers including suppliers and i...
C-SCRM-STRATEGY	C-SCRM Strategy and Implementation Plan	Establish an enterprise C-SCRM strategy and implementation plan that defines mission, scope, objectives, roles, integrat...

Control Enhancement

27 controls

Controls in the Control Enhancement domain of NIST SP 800-161 Rev 1 — 27 controls
Code	Title	Description
SR-1	Policy and Procedures (SR-1)	Develop, document, disseminate, and review supply chain risk management policy and procedures at defined frequency.
SR-10	Inspection of Systems or Components (SR-10)	Inspect systems or components at defined frequency or upon indications of tampering to detect compromise.
SR-11	Component Authenticity (SR-11)	Implement anti-counterfeit policy and procedures to detect and prevent counterfeit components.
SR-11(1)	Anti-counterfeit Training (SR-11(1))	Train personnel to detect counterfeit system components.
SR-11(2)	Configuration Control for Component Service and Repair (SR-11(2))	Maintain configuration control over components awaiting service or repair, and after return.
SR-11(3)	Anti-counterfeit Scanning (SR-11(3))	Scan for counterfeit components at defined frequency using defined methods.
SR-12	Component Disposal (SR-12)	Dispose of data, documentation, tools, or system components using defined techniques and methods.
SR-2	Supply Chain Risk Management Plan (SR-2)	Develop a C-SCRM plan for managing supply chain risks for systems, components, and services; review and update at define...
SR-2(1)	Establish SCRM Team (SR-2(1))	Establish a supply chain risk management team of personnel with defined roles to support C-SCRM activities.
SR-3	Supply Chain Controls and Processes (SR-3)	Establish processes to identify, protect, detect, respond, and recover across the supply chain lifecycle.
SR-3(1)	Diverse Supply Base (SR-3(1))	Employ a diverse set of sources for critical components to reduce single source risk.
SR-3(2)	Limitation of Harm (SR-3(2))	Employ controls to limit harm from potential adversaries identifying and obtaining specific system components.
SR-3(3)	Sub-tier Flow Down (SR-3(3))	Ensure C-SCRM controls flow down to subcontractors and sub-tier suppliers through contracts.
SR-4	Provenance (SR-4)	Document, monitor, and maintain provenance of systems, components, and associated data throughout the SDLC.
SR-4(1)	Identity (SR-4(1))	Establish and maintain unique identification of supply chain elements, processes, and actors.
SR-4(2)	Track and Trace (SR-4(2))	Establish track and trace capability for elements across their lifecycle.
SR-4(3)	Validate as Genuine and Not Altered (SR-4(3))	Employ controls to validate that received components are genuine and have not been altered.
SR-4(4)	Supply Chain Integrity Pedigree (SR-4(4))	Employ controls to establish supply chain integrity pedigree including configuration baselines and signed evidence.
SR-5	Acquisition Strategies, Tools, and Methods (SR-5)	Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply...
SR-5(1)	Adequate Supply (SR-5(1))	Employ strategies to ensure an adequate supply of critical components, including stockpiling and alternates.
SR-5(2)	Assessments Prior to Selection, Acceptance, Modification, or Update (SR-5(2))	Conduct C-SCRM assessments prior to selecting, accepting, modifying, or updating suppliers and components.
SR-6	Supplier Assessments and Reviews (SR-6)	Assess and review the supply chain risk posture of suppliers at defined frequency and after significant events.
SR-6(1)	Testing and Analysis (SR-6(1))	Employ analysis, testing, and inspection on supplied components to detect counterfeit or compromised elements.
SR-7	Supply Chain Operations Security (SR-7)	Apply OPSEC measures to protect supply chain information from disclosure that could enable adversaries.
SR-8	Notification Agreements (SR-8)	Establish agreements with suppliers for notification of supply chain compromises and relevant changes.
SR-9	Tamper Resistance and Detection (SR-9)	Implement tamper resistance and detection for systems, components, and devices.
SR-9(1)	Multiple Stages of SDLC (SR-9(1))	Apply tamper resistance and detection at multiple stages of the system development lifecycle.

Practice

11 controls

Controls in the Practice domain of NIST SP 800-161 Rev 1 — 11 controls
Code	Title	Description
C-SCRM-CONT	Supply Chain Continuity and Resilience	Plan for continuity and resilience of critical supply chains including alternates, stockpiles, and recovery.
C-SCRM-CRIT	Criticality Analysis	Identify critical components, suppliers, and functions to prioritize C-SCRM controls and monitoring.
C-SCRM-IDDEP	Identification of Suppliers and Dependencies	Identify all suppliers, integrators, and dependencies including sub-tier relationships and concentration risk.
C-SCRM-INC	Incident Management and Response Across Supply Chain	Integrate suppliers and integrators into incident response including detection, reporting, coordination, and recovery.
C-SCRM-METRICS	C-SCRM Metrics, Monitoring, and Reporting	Define and report metrics for C-SCRM performance and risk to leadership and stakeholders.
C-SCRM-OPENSRC	Open Source Software Risk Management	Manage risk from open source software components including provenance, licensing, vulnerability, and maintainer trust.
C-SCRM-RISK-ASSESS	Supply Chain Risk Assessment	Perform risk assessments of supply chain elements considering threats, vulnerabilities, likelihood, and impact.
C-SCRM-SVCPROV	External Service Provider Risk Management	Manage risk from external service providers including cloud, managed services, and integrators with contractual obligati...
C-SCRM-THREAT	Threat Analysis and Intelligence Sharing	Collect, analyze, and share C-SCRM threat information including counterfeit and adversarial supplier indicators.
C-SCRM-TRAIN	C-SCRM Training and Awareness	Provide role-based training and general awareness on C-SCRM to staff, contractors, and key suppliers.
C-SCRM-VULN	Vulnerability Management Across Supply Chain	Establish vulnerability management practices that cover supplied components and require coordinated disclosure.

Frequently Asked Questions

What is NIST SP 800-161 Rev 1?

NIST SP 800-161 Rev 1 is a compliance framework from United States with 3 domains and 42 controls. NIST SP 800-161 Rev 1 Cybersecurity Supply Chain Risk Management Practices. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-161 Rev 1 have?

NIST SP 800-161 Rev 1 has 42 controls organised across 3 domains. The largest domains are Control Enhancement (27 controls), Practice (11 controls), C-SCRM Strategy (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-161 Rev 1 map to?

NIST SP 800-161 Rev 1 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with NIST SP 800-161 Rev 1 compliance?

Start your NIST SP 800-161 Rev 1 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-161 Rev 1 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 42 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required