| Scope and covered activity | SP 800-161 provides C-SCRM practices across enterprise, mission, and operational levels. Use NIST SP 800-161 Rev. 1 to define the in-scope system, product, service, supplier, release, incident, or governance process before mapping evidence. | ISO/IEC 27036 provides supplier relationship and supply chain security guidance. Use ISO/IEC 27036 supplier relationships to define the separate assurance, certification, legal, contractual, or operating lens before claiming equivalence. | For scope, write separate acceptance criteria for NIST SP 800-161 Rev. 1 and ISO/IEC 27036 supplier relationships; reuse evidence only where it proves both claims without changing the meaning. |
|---|
| Who must act | Assign NIST SP 800-161 Rev. 1 work to the owner who can approve the scoped risk, control, software, supplier, incident, or governance decision and provide evidence. | Assign ISO/IEC 27036 supplier relationships work to the owner who controls that program, contract, certification, legal obligation, or operational procedure. | A shared team can support both sides, but the accountable owner should be named separately for NIST SP 800-161 Rev. 1 and ISO/IEC 27036 supplier relationships. |
|---|
| Trigger or threshold | NIST SP 800-161 Rev. 1: use it when an organization needs C-SCRM governance, supplier risk assessment, acquisition controls, or assurance evidence for ICT products and services. | ISO/IEC 27036 supplier relationships: use it to structure information-security requirements across acquirer-supplier relationships, including supplier selection, agreements, monitoring, and relationship termination. | Record the trigger facts in plain language so product, legal, security, privacy, sustainability, and procurement teams know when the comparison must be rerun. |
|---|
| Core obligations | NIST SP 800-161 Rev. 1 turns C-SCRM into an enterprise program of strategy, policy, plans, risk assessments, controls, acquisition requirements, monitoring, and periodic refreshes. The concrete action list should reflect those multilevel duties rather than a generic checklist. | ISO/IEC 27036 supplier relationships should be translated into the supplier-relationship duties that sit around agreements, due diligence, monitoring, and termination planning. Do not replace those relationship duties with a copy of the NIST action list. | Turn the comparison into a side-by-side duty map: one column for NIST C-SCRM program actions, one for ISO supplier-relationship actions, and one for the parts that can be reused without changing the requirement. |
|---|
| Evidence and records | NIST SP 800-161 Rev. 1: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | ISO/IEC 27036 supplier relationships: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep a traceable evidence matrix: source, claim, owner, artifact, review date, and whether the evidence satisfies NIST SP 800-161 Rev. 1, ISO/IEC 27036 supplier relationships, or both. |
|---|
| Timing and cadence | NIST SP 800-161 Rev. 1 treats C-SCRM as a living program: strategy, policies, plans, controls, and evidence should be reviewed and refreshed periodically, and monitoring should continue across the life cycle. | ISO/IEC 27036 supplier relationships should be tracked against the comparator's own review, renewal, monitoring, and termination points so one timing rule does not erase the other. | Use separate clocks for each side and surface the earliest decision date, the next scheduled review, and any transition period that changes implementation sequencing. |
|---|
| Enforcement or assurance route | NIST SP 800-161 Rev. 1 is an internal C-SCRM guidance model, so the practical assurance route is the enterprise's own governance, contracts, assessments, audits, and monitoring. | ISO/IEC 27036 supplier relationships should be checked for the comparator's assurance route, which may sit in contracts, certifications, legal obligations, or customer requirements. | Escalate when assurance routes differ because the same supplier file may need separate governance proof for NIST C-SCRM and for ISO supplier relationships. |
|---|
| Overlap and reuse | NIST SP 800-161 Rev. 1: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | ISO/IEC 27036 supplier relationships can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Reuse evidence carefully: overlap can reduce duplicated work, but it does not merge scope, actors, deadlines, penalties, or public-facing wording. |
|---|
| Practical decision rule | Choose NIST SP 800-161 Rev. 1 when the work must become an enterprise C-SCRM program with strategy, policy, plans, acquisition requirements, controls, and periodic monitoring. | Choose ISO/IEC 27036 supplier relationships when the decision is primarily about supplier-relationship requirements, agreements, and lifecycle management outside the NIST program structure. | If both apply, keep NIST as the program lens and ISO as the supplier-relationship lens, then write one record that names the unique duty each side still has to satisfy. |
|---|