Cyber Risk Management

This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations and includes guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services.

This site aims to collect guidance documents from a number of sources, including the CISA community-led work publications, the earlier National Telecommunications and Information Administration’s (NTIA) multistakeholder process, guidance from CISA itself and other federal agencies, and other relevant policy documents from governments around the world. 

This guide assists public safety communications systems operators, owners, and managers in understanding the steps of a cyber risk assessment. Included with this guide are customizable reference tables to help organizations identify and document personnel and resources involved with each step of the assessment.

In response to a study exploring barriers and challenges to Single Sign-On (SSO) adoption by small and medium-sized businesses (SMBs), CISA has released a report summarizing views of vendors and customers and provides a set of recommendations for encouraging SSO adoption.

The CSF can help an organization become a smart acquirer and supplier of technology products and services to improve your organizations' Cybersecurity Supply Chain Risk Management (C-SCRM).

The Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management product provides a framework that includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used. The Appendix's "Mapping to SBOM Formats" includes definitions that include a direct 1:1 mapping to alternative BOM formats such as CycloneDX and SPDX.

This document provides the ever-increasing community of digital businesses a set of Key Practices that any organization can use to manage cybersecurity risks associated with their supply chains. The Key Practices presented in this document can be used to implement a robust C-SCRM function at an organization of any size, scope, and complexity.

This guidance, and the accompanying fact sheet, provides best practices for software customers for procuring and deploying secure software, which includes guidance for the Software Bill of Materials.

This report is focused on software supply chain security in the telecommunications ecosystem with service providers, cloud service providers, and software vendors to identify recommended best practices to improve communications software supply chain security.

In addition to establishing the minimum elements for a Software Bill of Material (SBOM), this report defines the scope of how to think about minimum elements, describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution.

This document provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

The recommendations in the document are designed to improve the effectiveness of supply chain, vendor, and technology evaluations prior to the purchase of Internet of Things devices, systems, and services.

Library of NIST-authored publications.