Search Icon White
cyber nist news

Feedback Sought: NIST Issues Second Draft of Cybersecurity Supply Chain Risk Management Practices


Comment Period Ends on December 3, 2021

The American National Standards Institute (ANSI) encourages its members to submit feedback on the National Institute of Standards and Technology’s (NIST) second public draft of Special Publication (SP) 800-161 Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, open to public comment. Responses, due by December 3, 2021, will help NIST to carry out one of its multiple assignments in the President’s Executive Order (EO) 14028, Improving the Nation’s Cybersecurity.

NIST’s initial public draft, published in April 2021, preceded the release of the EO, which emphasizes the Administration’s top priority to support prevention, detection, assessment, and remediation of cyber incidents, essential to national and economic security. The EO tasked multiple agencies—including NIST—“with enhancing cybersecurity through a variety of initiatives, but with a specific focus on the security and integrity of the software supply chain.”

Background on the Second Public Draft of Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

NIST reports that the amended draft provides more consumable content for different audiences, with a revised document structure and new “Audience Profiles.” NIST has also added two new appendices focused more specifically on federal departments and agencies. These include: 

  • APPENDIX E:Federal Acquisition Supply Chain Security Act of 2018 (FASCSA) appendix, which provides additional guidance tailored to federal executive agencies related to supply chain risk assessment factors, assessment documentation, risk severity levels, and risk response.   
  • APPENDIX F:Response to Executive Order 14028’s Call to Publish Preliminary Guidelines or Enhancing Software Supply Chain Security appendix, which seeks to provide a response to the directives outlined within Section 4(c) of the EO by outlining existing industry standards, tools, and recommended practices within the context of SP 800-161 Revision 1, as well as any new standards, tools, and recommended practices stemming from the EO and recent developments in the discipline.

NIST requests comments by December 3, 2021, and provides a template for comment submissions, along with instructions and more information, on its website.


Jana Zabinski

Senior Director, Communications & Public Relations


[email protected]

Beth Goodbaum

Journalist/Communications Specialist


[email protected]