NIST Special Publication 800-161 Revision 1 (2022), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, provides comprehensive guidance for managing cybersecurity risks across the entire ICT supply chain. Built on a three-tiered model — Organisational (Tier 1), Mission/Business Process (Tier 2), and System/Component (Tier 3) — it integrates with the NIST Cybersecurity Framework and NIST SP 800-53 to address supply chain threats that traditional security controls do not cover.

For Indian IT firms and software exporters serving US federal agencies, defence contractors, or critical infrastructure operators, C-SCRM is increasingly a contractual requirement — referenced in CMMC 2.0, Executive Order 14028 on improving US cybersecurity, and FedRAMP supply chain risk requirements. The 2022 revision significantly expanded C-SCRM controls (adding C-SCRM-specific overlays to NIST SP 800-53 Rev 5) and introduced Software Bill of Materials (SBOM) requirements as a foundational supply chain transparency tool.

🇺🇸 EO 14028 Impact: US Executive Order 14028 (May 2021) mandated C-SCRM and SBOM requirements for all software sold to the US federal government. Indian software exporters to US federal agencies must have an SBOM programme and C-SCRM practices in place — or risk contract disqualification.