---
title: "NIST SP 800-161 Rev. 1 vs ISO/IEC 27036 supplier relationships: practical side-by-side comparison"
canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-161-rev-1/nist-sp-800-161-vs-iso-27036"
source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-161-rev-1/nist-sp-800-161-vs-iso-27036"
author: "Sorena AI"
description: "Compare NIST SP 800-161 Rev. 1 and ISO/IEC 27036 supplier relationships with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIST SP 800-161 Rev. 1 vs ISO/IEC 27036 supplier relationships"
  - "NIST SP 800-161 Rev. 1"
  - "comparison"
  - "evidence mapping"
  - "source-linked decision"
  - "NIST SP 800-161"
  - "C-SCRM"
  - "Supplier risk"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIST SP 800-161 Rev. 1 vs ISO/IEC 27036 supplier relationships: practical side-by-side comparison

Compare NIST SP 800-161 Rev. 1 and ISO/IEC 27036 supplier relationships with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.

*Side-by-side* *GLOBAL* *NIST SP 800-161 Rev. 1*

## NIST SP 800-161 Rev. 1 vs ISO/IEC 27036 supplier relationships: practical side-by-side comparison

Use the cited NIST sources to turn framework language into owners, evidence, review cadence, and decisions that a reader can act on.

This comparison helps teams mapping NIST SP 800-161 Rev. 1 to ISO/IEC 27036 supplier relationships. The goal is not to pick a winner; it is to separate scope, owners, evidence, review cadence, and assurance so one implementation record can support both sides without overclaiming.

## NIST SP 800-161 Rev. 1 vs ISO/IEC 27036 supplier relationships: practical side-by-side comparison

Compare NIST SP 800-161 Rev. 1 and ISO/IEC 27036 supplier relationships with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.

- **NIST SP 800-161 Rev. 1**: NIST SP 800-161 Rev. 1 is the primary scoping column: use it to confirm covered facts, accountable owners, mandatory artifacts, timing, and enforcement exposure before assigning implementation work.
- **ISO/IEC 27036 supplier relationships**: ISO/IEC 27036 supplier relationships is the second workstream in this comparison. Use it to test where the comparator has different scope, owners, triggers, evidence, timing, enforcement, and reuse limits from NIST SP 800-161 Rev. 1.

| Dimension | NIST SP 800-161 Rev. 1 | ISO/IEC 27036 supplier relationships | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | SP 800-161 provides C-SCRM practices across enterprise, mission, and operational levels. Use NIST SP 800-161 Rev. 1 to define the in-scope system, product, service, supplier, release, incident, or governance process before mapping evidence. | ISO/IEC 27036 provides supplier relationship and supply chain security guidance. Use ISO/IEC 27036 supplier relationships to define the separate assurance, certification, legal, contractual, or operating lens before claiming equivalence. | For scope, write separate acceptance criteria for NIST SP 800-161 Rev. 1 and ISO/IEC 27036 supplier relationships; reuse evidence only where it proves both claims without changing the meaning. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.<br>[ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships. |
| Who must act | Assign NIST SP 800-161 Rev. 1 work to the owner who can approve the scoped risk, control, software, supplier, incident, or governance decision and provide evidence. | Assign ISO/IEC 27036 supplier relationships work to the owner who controls that program, contract, certification, legal obligation, or operational procedure. | A shared team can support both sides, but the accountable owner should be named separately for NIST SP 800-161 Rev. 1 and ISO/IEC 27036 supplier relationships. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.<br>[ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships. |
| Trigger or threshold | NIST SP 800-161 Rev. 1: use it when an organization needs C-SCRM governance, supplier risk assessment, acquisition controls, or assurance evidence for ICT products and services. | ISO/IEC 27036 supplier relationships: use it to structure information-security requirements across acquirer-supplier relationships, including supplier selection, agreements, monitoring, and relationship termination. | Record the trigger facts in plain language so product, legal, security, privacy, sustainability, and procurement teams know when the comparison must be rerun. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. |
| Core obligations | NIST SP 800-161 Rev. 1 turns C-SCRM into an enterprise program of strategy, policy, plans, risk assessments, controls, acquisition requirements, monitoring, and periodic refreshes. The concrete action list should reflect those multilevel duties rather than a generic checklist. | ISO/IEC 27036 supplier relationships should be translated into the supplier-relationship duties that sit around agreements, due diligence, monitoring, and termination planning. Do not replace those relationship duties with a copy of the NIST action list. | Turn the comparison into a side-by-side duty map: one column for NIST C-SCRM program actions, one for ISO supplier-relationship actions, and one for the parts that can be reused without changing the requirement. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. |
| Evidence and records | NIST SP 800-161 Rev. 1: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | ISO/IEC 27036 supplier relationships: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep a traceable evidence matrix: source, claim, owner, artifact, review date, and whether the evidence satisfies NIST SP 800-161 Rev. 1, ISO/IEC 27036 supplier relationships, or both. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. |
| Timing and cadence | NIST SP 800-161 Rev. 1 treats C-SCRM as a living program: strategy, policies, plans, controls, and evidence should be reviewed and refreshed periodically, and monitoring should continue across the life cycle. | ISO/IEC 27036 supplier relationships should be tracked against the comparator's own review, renewal, monitoring, and termination points so one timing rule does not erase the other. | Use separate clocks for each side and surface the earliest decision date, the next scheduled review, and any transition period that changes implementation sequencing. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. |
| Enforcement or assurance route | NIST SP 800-161 Rev. 1 is an internal C-SCRM guidance model, so the practical assurance route is the enterprise's own governance, contracts, assessments, audits, and monitoring. | ISO/IEC 27036 supplier relationships should be checked for the comparator's assurance route, which may sit in contracts, certifications, legal obligations, or customer requirements. | Escalate when assurance routes differ because the same supplier file may need separate governance proof for NIST C-SCRM and for ISO supplier relationships. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. |
| Overlap and reuse | NIST SP 800-161 Rev. 1: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | ISO/IEC 27036 supplier relationships can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Reuse evidence carefully: overlap can reduce duplicated work, but it does not merge scope, actors, deadlines, penalties, or public-facing wording. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. |
| Practical decision rule | Choose NIST SP 800-161 Rev. 1 when the work must become an enterprise C-SCRM program with strategy, policy, plans, acquisition requirements, controls, and periodic monitoring. | Choose ISO/IEC 27036 supplier relationships when the decision is primarily about supplier-relationship requirements, agreements, and lifecycle management outside the NIST program structure. | If both apply, keep NIST as the program lens and ISO as the supplier-relationship lens, then write one record that names the unique duty each side still has to satisfy. | [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.<br>[ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships. |

Sources for Scope and covered activity - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Scope and covered activity - ISO/IEC 27036 supplier relationships:

- [ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships.
  - Quote: "hardware, software, and services supply chain security"

Sources for Scope and covered activity - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Who must act - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Who must act - ISO/IEC 27036 supplier relationships:

- [ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships.
  - Quote: "hardware, software, and services supply chain security"

Sources for Who must act - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Trigger or threshold - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Trigger or threshold - ISO/IEC 27036 supplier relationships:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Trigger or threshold - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Core obligations - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Core obligations - ISO/IEC 27036 supplier relationships:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Core obligations - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Evidence and records - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Evidence and records - ISO/IEC 27036 supplier relationships:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Evidence and records - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Timing and cadence - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "reviewed and refreshed periodically"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Timing and cadence - ISO/IEC 27036 supplier relationships:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "reviewed and refreshed periodically"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Timing and cadence - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Enforcement or assurance route - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "contracts, assessments, and monitoring"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Enforcement or assurance route - ISO/IEC 27036 supplier relationships:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "contracts, assessments, and monitoring"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Enforcement or assurance route - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Overlap and reuse - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Overlap and reuse - ISO/IEC 27036 supplier relationships:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Overlap and reuse - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Practical decision rule - NIST SP 800-161 Rev. 1:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

Sources for Practical decision rule - ISO/IEC 27036 supplier relationships:

- [ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships.
  - Quote: "hardware, software, and services supply chain security"

Sources for Practical decision rule - operational implication:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"

### When should teams use NIST SP 800-161 Rev. 1 first versus ISO/IEC 27036 supplier relationships first?

- Use NIST SP 800-161 Rev. 1 first when the deliverable must be an enterprise C-SCRM program with strategy, policy, plans, acquisition requirements, controls, and monitoring.
- Use ISO/IEC 27036 supplier relationships first when the deliverable is primarily a supplier-relationship requirement set tied to agreements, due diligence, monitoring, and termination handling.
- Use both when the same supplier facts need two different records: one for the NIST program and one for the ISO supplier-relationship obligation.

Sources for the practical decision rule:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"
- [ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships.
  - Quote: "hardware, software, and services supply chain security"

## How should teams use the NIST SP 800-161 Rev. 1 vs ISO/IEC 27036 supplier relationships comparison in practical compliance decisions?

Read the table row by row and write a decision record for the actual scope. The useful output is a source-linked mapping, not a broad statement that the two frameworks are similar.

- Define which side is the primary driver.
- Identify shared evidence only after both source-linked claims are clear.
- Keep legal, certification, customer, and internal governance timers separate.

Sources for this answer:

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
- [ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships.

*Recommended next step*

*Placement: after the practical workflow*

## Put this NIST SP 800-161 Rev. 1 C-SCRM guidance into practice

Use the cited sources to turn the guidance into scoped decisions, owners, evidence requests, and review checkpoints.

- [Open Assessment Autopilot for NIST SP 800-161 Rev. 1 C-SCRM](/solutions/research-copilot.md): Create source-linked tasks, evidence requests, and review checkpoints for this NIST SP 800-161 Rev. 1 C-SCRM scope.
- [Review this NIST SP 800-161 Rev. 1 C-SCRM scope with Sorena](/contact.md): Check source coverage, ownership, evidence gaps, and next steps before publishing or operationalizing the work.

## Primary sources

- [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for the C-SCRM side of this comparison, including supply-chain risk practices, organizational tiers, and supplier assurance evidence.
  - Quote: "identifying, assessing, and mitigating cybersecurity risks"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog.
  - Quote: "catalog of security and privacy controls"
- [ISO/IEC 27036-3 supplier relationship guidance](https://www.iso.org/standard/59689.html?ref=sorena.io) - Official ISO page for supply chain security guidance in supplier relationships.
  - Quote: "hardware, software, and services supply chain security"

## Related Topic Guides

- [How should teams handle counterfeits under NIST SP 800-161 Rev. 1 supply-chain risk management?](/artifacts/global/nist-sp-800-161-rev-1/faq/counterfeits.md): How should teams handle counterfeits under NIST SP 800-161 Rev. 1 supply-chain risk management? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle critical suppliers under NIST SP 800-161 Rev. 1 supply-chain risk management?](/artifacts/global/nist-sp-800-161-rev-1/faq/critical-suppliers.md): How should teams handle critical suppliers under NIST SP 800-161 Rev. 1 supply-chain risk management? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle monitoring under NIST SP 800-161 Rev. 1 supply-chain risk management?](/artifacts/global/nist-sp-800-161-rev-1/faq/monitoring.md): How should teams handle monitoring under NIST SP 800-161 Rev. 1 supply-chain risk management? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle provenance under NIST SP 800-161 Rev. 1 supply-chain risk management?](/artifacts/global/nist-sp-800-161-rev-1/faq/provenance.md): How should teams handle provenance under NIST SP 800-161 Rev. 1 supply-chain risk management? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle supplier incidents under NIST SP 800-161 Rev. 1 supply-chain risk management?](/artifacts/global/nist-sp-800-161-rev-1/faq/supplier-incidents.md): How should teams handle supplier incidents under NIST SP 800-161 Rev. 1 supply-chain risk management? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle supply chain risk response under NIST SP 800-161 Rev. 1 supply-chain risk management?](/artifacts/global/nist-sp-800-161-rev-1/faq/supply-chain-risk-response.md): How should teams handle supply chain risk response under NIST SP 800-161 Rev. 1 supply-chain risk management? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle tiering under NIST SP 800-161 Rev. 1 supply-chain risk management?](/artifacts/global/nist-sp-800-161-rev-1/faq/tiering.md): How should teams handle tiering under NIST SP 800-161 Rev. 1 supply-chain risk management? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [NIST SP 800-161 Rev. 1 C-SCRM Governance Checklist](/artifacts/global/nist-sp-800-161-rev-1/c-scrm-governance-checklist.md): A practical NIST SP 800-161 Rev. 1 C-SCRM Governance Checklist workflow with steps, owners, evidence fields, decisions, and source-linked review triggers.
- [NIST SP 800-161 Rev. 1 C-SCRM Governance Guide](/artifacts/global/nist-sp-800-161-rev-1/c-scrm-governance.md): Practical NIST SP 800-161 Rev. 1 C-SCRM Governance Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-161 Rev. 1 compliance playbook](/artifacts/global/nist-sp-800-161-rev-1/compliance.md): Practical NIST SP 800-161 Rev. 1 compliance playbook guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-161 Rev. 1 Contract and Monitoring Controls](/artifacts/global/nist-sp-800-161-rev-1/contract-and-monitoring-controls.md): Practical NIST SP 800-161 Rev. 1 Contract and Monitoring Controls guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-161 Rev. 1 Criticality Analysis Guide](/artifacts/global/nist-sp-800-161-rev-1/criticality-analysis.md): Practical NIST SP 800-161 Rev. 1 Criticality Analysis Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-161 Rev. 1 FAQ: practical implementation questions](/artifacts/global/nist-sp-800-161-rev-1/faq.md): Standalone NIST SP 800-161 Rev. 1 FAQ questions with source-linked answers, implementation checklists, and evidence guidance.
- [NIST SP 800-161 Rev. 1 Provenance and SBOM Supplier Controls](/artifacts/global/nist-sp-800-161-rev-1/provenance-and-sbom-supplier-controls.md): Practical NIST SP 800-161 Rev. 1 Provenance and SBOM Supplier Controls guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-161 Rev. 1 supplier assessment evidence: required artefacts and evaluation criteria](/artifacts/global/nist-sp-800-161-rev-1/supplier-assessment-evidence.md): Practical NIST SP 800-161 Rev. 1 Supplier Assessment Evidence Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-161 Rev. 1 Supplier Risk Tiering](/artifacts/global/nist-sp-800-161-rev-1/supplier-risk-tiering.md): Practical NIST SP 800-161 Rev. 1 Supplier Risk Tiering guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-161 Rev. 1 vs DORA ICT third-party risk: practical side-by-side comparison](/artifacts/global/nist-sp-800-161-rev-1/nist-sp-800-161-vs-dora.md): Compare NIST SP 800-161 Rev. 1 and DORA ICT third-party risk with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.
- [NIST SP 800-161 Rev. 1: workflow for collecting and validating C-SCRM supplier evidence](/artifacts/global/nist-sp-800-161-rev-1/supplier-assessment-evidence-workflow.md): A practical NIST SP 800-161 Rev. 1 Supplier Assessment Evidence Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers.
- [Which contract controls should teams define under NIST SP 800-161 Rev. 1?](/artifacts/global/nist-sp-800-161-rev-1/faq/contract-controls.md): Which contract controls should teams define under NIST SP 800-161 Rev. 1? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/nist-sp-800-161-rev-1/nist-sp-800-161-vs-iso-27036