Sorry, you need to enable JavaScript to visit this website.
Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.


  1. Home
  2. Cyber Risk Management

Cyber Risk Management

Get Started

Cyber Supply Chain Risk Management involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains. It covers the entire lifecycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction).

This training has been designed to assist the learner with developing an understanding of cyber supply chain risk management, also known as C-SCRIM, and the role it plays within our society today.

cyber alert icon

More Cyber Risk Management Resources

In response to a study exploring barriers and challenges to Single Sign-On (SSO) adoption by small and medium-sized businesses (SMBs), CISA has released a report summarizing views of vendors and customers and provides a set of recommendations for encouraging SSO adoption.

The CSF can help an organization become a smart acquirer and supplier of technology products and services to improve your organizations' Cybersecurity Supply Chain Risk Management (C-SCRM).

The Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management product provides a framework that includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used. The Appendix's "Mapping to SBOM Formats" includes definitions that include a direct 1:1 mapping to alternative BOM formats such as CycloneDX and SPDX.

This document provides the ever-increasing community of digital businesses a set of Key Practices that any organization can use to manage cybersecurity risks associated with their supply chains. The Key Practices presented in this document can be used to implement a robust C-SCRM function at an organization of any size, scope, and complexity.

This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations and includes guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services.

This guidance, and the accompanying fact sheet, provides best practices for software customers for procuring and deploying secure software, which includes guidance for the Software Bill of Materials.

This report is focused on software supply chain security in the telecommunications ecosystem with service providers, cloud service providers, and software vendors to identify recommended best practices to improve communications software supply chain security.

A “Software Bill of Materials” (SBOM) provides those who produce, purchase, and operate software with information that enhances their understanding of the supply chain, which enables multiple benefits, most notably the potential to track known and newly emerged vulnerabilities and risks.

In addition to establishing the minimum elements for a Software Bill of Material (SBOM), this report defines the scope of how to think about minimum elements, describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution.

This document provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

The recommendations in the document are designed to improve the effectiveness of supply chain, vendor, and technology evaluations prior to the purchase of Internet of Things devices, systems, and services.

Library of NIST-authored publications.