Cyber Risk Management

This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations and includes guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services.

This guidance, and the accompanying fact sheet, provides best practices for software customers for procuring and deploying secure software, which includes guidance for the Software Bill of Materials.

This report is focused on software supply chain security in the telecommunications ecosystem with service providers, cloud service providers, and software vendors to identify recommended best practices to improve communications software supply chain security.

A “Software Bill of Materials” (SBOM) provides those who produce, purchase, and operate software with information that enhances their understanding of the supply chain, which enables multiple benefits, most notably the potential to track known and newly emerged vulnerabilities and risks.

In addition to establishing the minimum elements for a Software Bill of Material (SBOM), this report defines the scope of how to think about minimum elements, describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution.

This document provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

The recommendations in the document are designed to improve the effectiveness of supply chain, vendor, and technology evaluations prior to the purchase of Internet of Things devices, systems, and services.

Library of NIST-authored publications.