P-SSCRM Documentation

800-161 NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (800-161r1) - only the subset of controls specifically identified in this document as mapping back to the Executive Order

Source Document: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-upd1.pdf

800-161 - P-SSCRM mapping

SA-15 G.1.1 Organizational security requirements
CM-10 G.1.2 Software license conflict
SA-15 AU-2 AU-3 AU-12 G.1.3 Produce attestation
SR-4 G.1.4 Deliver provenance
SR-4 G.1.5 Deliver SBOM
SA-15 G.2.2 Secure SDLC checks
SA-3 G.2.3 Roles and responsibilities
SA-11 G.2.4 Security code review policy
CM-8 IA-4 PM-5 G.2.5 Asset inventory
SC-28 G.2.6 Protection of information at rest
SA-1 SA-4 SI-3 SA-9 SR-4 SR-5 SR-6 G.3.1 Security-related contract terms
AC-5 G.3.2 Separation of duties
AU-13 G.3.3 Information disclosure
AU-14 G.3.4 Session audits
SR-8 G.3.5 Notification agreement
AT-2 AT-3 SA-16 G.4.1 Role-based training
CP-3 IR-2 G.4.2 Contingency training
SI-4 SI-5 RA-5 G.4.3 Gather attack trends
RA-9 G.5.1 Criticality analysis
SA-15 G.5.4 Data-informed product decisions
SA-8 SA-17 P.1.1 Product security requirements
SA-17 P.2.1 Security design review
SA-5 P.2.3 Secure-by-default implementation
CM-7 SI-3 P.3.1 Component and container choice
SI-3 SR-3 SR-4 SR-11 P.3.4 Vetted third-party component and container repositories
SA-15 P.4.2 Automated security scanning tools
SA-11 RA-9 SI-7 P.4.3 Automated vulnerability detection
SA-11 P.4.4 Executable security testing
SA-4, SA-9, SA-11, SA-15, SR-3 P.4.5 Regular third-party compliance
SR-4 P.5.1 SBOM consumption
SI-2 P.5.2 Dependency update
SA-8, SA-10 E.1.2 Version control
SA-22 E.1.6 Decommission assets
IA-5 IA-9 E.3.1 Authentication
SA-8 SA-15 E.3.2 Environmental separation
AC-2 AC-3 AC-6 AC-17 IA-2 E.3.3 Role-based access control
AC-4 SC-8 E.3.4 Information flow enforcement
CM-2 E.3.5 Baseline configuration
CM-3 CM-6 E.3.6 Monitor changes to configuration settings
SC-7 E.3.7 Boundary protection
SA-15 D.1.1 Vulnerability analysis
SA-5, SA-11 D.1.2 Risk-based vulnerability remediation
SA-15 D.1.3 Vulnerability disclosure
SI-2 D.1.4 Vulnerability eradication
CA-7 D.2.1 System monitoring