---
title: "NIST SP 800-161 Rev. 1 (C-SCRM)"
canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-161-rev-1"
source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-161-rev-1"
author: "Sorena AI"
description: "Practical NIST SP 800-161 Rev. 1 Update 1 guidance for cybersecurity supply chain risk management: multilevel enterprise, mission, and operational model."
published_at: "2026-03-04"
updated_at: "2026-03-04"
keywords:
  - "NIST SP 800-161 Rev. 1"
  - "NIST SP 800-161r1-upd1"
  - "cybersecurity supply chain risk management"
  - "C-SCRM"
  - "supply chain cybersecurity"
  - "third party risk management"
  - "supplier risk tiering"
  - "supplier contract cybersecurity clauses"
  - "continuous supplier monitoring"
  - "NIST supply chain controls"
  - "SP 800-161 implementation guide"
  - "SP 800-161 compliance"
  - "SP 800-161 audit evidence"
  - "supplier assurance metrics"
  - "Supply chain security"
  - "Third-party risk management"
  - "Global compliance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIST SP 800-161 Rev. 1 (C-SCRM)

Practical NIST SP 800-161 Rev. 1 Update 1 guidance for cybersecurity supply chain risk management: multilevel enterprise, mission, and operational model.

![NIST SP 800-161 Rev. 1 artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-global-nist-sp-800-161-rev-1-small.jpg?v=cheatsheets%2Fprod)

*NIST SP 800-161 Rev. 1* *Free Resource*

## NIST SP 800-161 Rev. 1 Cybersecurity supply chain risk management implementation hub

Use these guides to operationalize cybersecurity supply chain risk management with the actual NIST multilevel model: integrate supply chain risk into enterprise governance, develop strategy and implementation plans, tailor mission and operational plans, run supplier risk tiering, enforce contract controls, and monitor suppliers continuously.

Grounded to NIST SP 800-161 Rev. 1 Update 1. The base publication is dated May 2022 and includes updates as of November 1, 2024, with NIST Editorial Review Board approval on September 25, 2024.

[Jump to guides](#topics)

## What this artifact helps you do

- **Integrate C-SCRM into risk governance**: Connect supply chain cybersecurity risk to enterprise risk decisions, accountability, and reporting.
- **Run supplier assurance with depth**: Tier suppliers, define contractual requirements, and set monitoring cadence based on risk.
- **Prove control effectiveness**: Build an evidence index with measurable outcomes and continuous improvement.

By Sorena AI | Updated 2026 | No signup required

### Quick scan

*C-SCRM*

- **Compliance playbook**: How to build a C-SCRM operating model across enterprise levels.
- **Contract + monitoring controls**: Practical controls for supplier agreements and continuous oversight.
- **Supplier risk tiering**: Tiering logic and depth model for assessments and evidence cadence.

SP 800-161 is most effective when supply chain risk decisions are measurable, enforceable, and continuously monitored.

| Value | Metric |
| --- | --- |
| C-SCRM | Focused |
| Suppliers | Tiered |
| Contracts | Enforced |
| Evidence | Auditable |

**Key highlights:** Tier | Contract | Monitor

## Topic Guides

- [NIST SP 800-161 Rev. 1 Compliance Playbook (C-SCRM)](/artifacts/global/nist-sp-800-161-rev-1/compliance.md): Practical SP 800-161 Rev. 1 compliance playbook: integrate C-SCRM with enterprise risk management, define strategy and implementation plan.
- [NIST SP 800-161 Rev. 1 Contract and Monitoring Controls](/artifacts/global/nist-sp-800-161-rev-1/contract-and-monitoring-controls.md): Practical contract and monitoring controls for C-SCRM under SP 800-161 Rev.
- [NIST SP 800-161 Rev. 1 FAQ (C-SCRM Implementation)](/artifacts/global/nist-sp-800-161-rev-1/faq.md): NIST SP 800-161 Rev. 1 FAQ: scope, applicability outside federal environments, supplier risk tiering, acquisition and contract controls, C-SCRM metrics.
- [NIST SP 800-161 Rev. 1 Supplier Risk Tiering Model](/artifacts/global/nist-sp-800-161-rev-1/supplier-risk-tiering.md): Build a risk-based supplier tiering model aligned to SP 800-161 Rev.

## Explore NIST SP 800-161 Rev. 1 guides

*Guides*

Use these subpages for implementation deep dives: compliance playbook, contract and monitoring controls, supplier risk tiering, and FAQ.

## How to run C-SCRM as an operating model

*Navigation*

Treat C-SCRM as a three-level operating model. At the enterprise level define strategy, implementation plan, policy, and governance. At the mission and business level tailor those artifacts to the process context. At the operational level build C-SCRM plans, tailored controls, acquisition requirements, and monitoring that fit the specific system, service, or product lifecycle.

*Next step*

## Turn NIST SP 800-161 Rev. 1 Cybersecurity supply chain risk management implementation hub into an operational assessment workflow

NIST SP 800-161 Rev. 1 Cybersecurity supply chain risk management implementation hub should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis.

- Start from NIST SP 800-161 Rev. 1 Cybersecurity supply chain risk management implementation hub and route the work by entity, product, team, or control owner.
- Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
- Use SSOT to keep documents, evidence, and control records in one governed system.
- Move from artifact reading to accountable execution without rebuilding the guidance in separate files.

- [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints for NIST SP 800-161 Rev. 1 Cybersecurity supply chain risk management implementation hub.
- [Open SSOT](/solutions/ssot.md): Keep documents, evidence, and control records in one governed system from the same artifact.
- [Talk through NIST SP 800-161 Rev. 1 Cybersecurity supply chain risk management implementation hub](/contact.md): Review your current process, evidence model, and next steps for NIST SP 800-161 Rev. 1 Cybersecurity supply chain risk management implementation hub.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/nist-sp-800-161-rev-1