| Scope and covered activity | SP 800-161 gives C-SCRM practices that can support supplier risk governance. Use NIST SP 800-161 Rev. 1 to define the in-scope system, product, service, supplier, release, incident, or governance process before mapping evidence. | DORA creates binding ICT third-party risk duties for financial entities in scope. Use DORA ICT third-party risk to define the separate assurance, certification, legal, contractual, or operating lens before claiming equivalence. | For scope, write separate acceptance criteria for NIST SP 800-161 Rev. 1 and DORA ICT third-party risk; reuse evidence only where it proves both claims without changing the meaning. |
|---|
| Who must act | Assign NIST SP 800-161 Rev. 1 work to the owner who can approve the scoped risk, control, software, supplier, incident, or governance decision and provide evidence. | Assign DORA ICT third-party risk work to the owner who controls that program, contract, certification, legal obligation, or operational procedure. | A shared team can support both sides, but the accountable owner should be named separately for NIST SP 800-161 Rev. 1 and DORA ICT third-party risk. |
|---|
| Trigger or threshold | NIST SP 800-161 Rev. 1: state the fact that starts the obligation, such as market placement, processing, designation, incident, reporting period, transfer, data request, supplier change, or public claim. | DORA ICT third-party risk turns on financial-entity scope, ICT third-party service use, critical or important functions, critical ICT third-party provider designation, incident duties, contractual arrangements, and supervisory notice. | Record the trigger facts in plain language so product, legal, security, privacy, sustainability, and procurement teams know when the comparison must be rerun. |
|---|
| Core obligations | NIST SP 800-161 Rev. 1 organizes supplier risk work into a practical program: identify and assess supply chain risks, select controls and mitigations, maintain trusted relationships and records, and keep the process under governance review. | DORA imposes direct legal duties for financial entities: maintain ICT risk management, report major ICT-related incidents, test resilience, manage ICT third-party risk, use binding contract clauses, and follow oversight actions for critical providers. | NIST SP 800-161 Rev. 1 is a programmatic supply-chain risk management guide, while DORA is a binding financial-sector regime with explicit reporting, testing, contractual, and supervisory duties. |
|---|
| Evidence and records | NIST SP 800-161 Rev. 1: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | DORA ICT third-party risk: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep a traceable evidence matrix: source, claim, owner, artifact, review date, and whether the evidence satisfies NIST SP 800-161 Rev. 1, DORA ICT third-party risk, or both. |
|---|
| Timing and cadence | NIST SP 800-161 Rev. 1: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | DORA ICT third-party risk: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use separate clocks for each side and surface the earliest decision date, longest retention or review duty, and any transition period that changes implementation sequencing. |
|---|
| Enforcement or assurance route | NIST SP 800-161 Rev. 1: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | DORA ICT third-party risk: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. |
|---|
| Overlap and reuse | NIST SP 800-161 Rev. 1: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | DORA ICT third-party risk can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Reuse evidence carefully: overlap can reduce duplicated work, but it does not merge scope, actors, deadlines, penalties, or public-facing wording. |
|---|
| Practical decision rule | Choose NIST SP 800-161 Rev. 1 as the primary lens when the question is about the NIST SP 800-161 Rev. 1 scope, terminology, evidence, and audience. | Choose DORA ICT third-party risk as the primary lens when the question is about the DORA ICT third-party risk scope, terminology, evidence, and audience. | When both apply, write one decision record with two source-linked claims instead of forcing one framework to stand in for the other. |
|---|