The U.S. NIST released this week Special Publication 800-18r2 that focuses on the development of system plans that address system-level security, privacy, and Cybersecurity Supply Chain Risk Management Plans (CSCRM) requirements that may derive from enterprise, organization, and mission/business process requirements. The agency is seeking feedback on the draft’s technical accuracy, clarity, usability, and the impact of changes made to the content.
NIST is particularly interested in feedback on how the guidelines align with current organizational practices for documenting or reporting security, privacy, and cybersecurity supply chain risk management at the system level. It is also seeking input on how the guidelines and supplemental materials might influence future practices and processes. Comments are welcome on whether additional system plan elements could improve the usability of the information captured.
Furthermore, NIST is also looking for perspectives on further considerations for automating the capture of system information using enterprise security tools to enhance risk management and support more informed decision-making. The public comment period is open through July 30 this year.
The revision introduces several key updates. It expands guidance on developing system plans within the frameworks of the NIST Risk Management Framework, the NIST Privacy Framework, and NIST SP 800-161r1, which outlines cybersecurity supply chain risk management practices for systems and organizations. It focuses on the development and maintenance of system plans to support risk management activities, including tasks outlined in the NIST Risk Management Framework (RMF) as described in SP 800-37.
The revision provides detailed guidance on the content elements that should be included in system plans. It also discusses how automation can be used throughout the system life cycle to develop and maintain these plans, including considerations for sharing and safeguarding system plan information. In addition, the revision includes supplemental materials such as example system plan outlines and updated guidance on roles and responsibilities that may influence the development process.
Federal agencies are required to develop and maintain system plans to manage risks, including specific implementation details for the controls used to meet those requirements. Nonfederal organizations may choose to apply these guidelines voluntarily, aligning their system planning efforts with broader risk management strategies.
It offers insights into creating a consolidated system plan that integrates security, privacy, and supply chain risk management elements. The descriptions of system plan components have been updated to reflect requirements related to security, privacy, and cybersecurity supply chain risks.
The 800-18r2 revision also includes considerations for automating the creation and maintenance of system plans using information management tools such as governance, risk, and compliance applications. Supplemental materials feature example outlines for system plans and updated guidance on roles and responsibilities tied to their development.
The system security plan outlines the system’s security requirements and the measures that are in place or planned to meet those requirements. It enables organizational leadership and system management personnel to manage security risks and make informed risk management decisions throughout the system’s life cycle. The plan also describes the controls, either implemented or planned, addressing the system’s security needs.
It identifies the individuals responsible for maintaining security protections for the system’s information and information systems. The plan consolidates key details about the system, including its purpose, authorization boundary, security categorization as defined by FIPS 199, operational status, and operating environment. Finally, it demonstrates how core security objectives such as confidentiality, integrity, and availability are achieved through sound security engineering practices designed to support resilient and trustworthy systems.
The C-SCRM plan defines how supply chain risks are managed at the system level. It identifies relevant policies, requirements, constraints, and implications that apply specifically to the system’s cybersecurity supply chain. The plan also outlines the system’s approach to managing risks tied to the research, development, design, manufacturing, acquisition, delivery, integration, operation, maintenance, and eventual disposal of its components or services.
Additionally, the plan places the system within the broader context of the organization’s supply chain risk tolerance. It includes details on acceptable risk response strategies or controls, outlines a process for continuous evaluation and monitoring of supply chain risks, and explains how the plan will be implemented and communicated. It also provides a description and justification for the mitigation measures taken to address supply chain risks.
The plan includes supplier and component inventories, highlighting their criticality to the system. It identifies key individuals responsible for supply chain-related roles, describes the implementation of supply chain-specific security controls, and incorporates system diagrams and known interdependencies with other systems.
The NIST RMF provides a methodology for managing system risks by applying organizational policies and system-level procedures that support the development of system plans. This includes defining responsibilities, conducting ongoing reviews and updates, approving system plans, and assessing the implementation of controls. The 800-18r2 revision explains how system plans align with each step of the RMF and outlines the relevant outputs associated with specific tasks included in system plans.
In April, NIST released a draft update to its Privacy Framework, aligning it more closely with the recently updated Cybersecurity Framework. The changes to the NIST Privacy Framework 1.1 Initial Public Draft (IPD) aim to improve usability and address feedback from stakeholders by refining content and structure. NIST is accepting public comments on the draft through June 13, 2025.
