NIST SP 800-161 vRev 1
Supply Chain Risk Management
Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.
307 All
AC — Access Control (24 controls)
AC-1Policy And Procedures
AC-2Account Management
AC-3Access Enforcement
AC-3(8)Revocation Of Access Authorizations
AC-3(9)Controlled Release
AC-4Information Flow Enforcement
AC-4(1)Object Security And Privacy Attributes
AC-4(17)Domain Authentication
AC-4(19)Validation Of Metadata
AC-4(21)Physical Or Logical Separation Of Information Flows
AC-5Separation Of Duties
AC-6Least Privilege
AC-6(6)Privileged Access By Non-Organizational Users
AC-17Remote Access
AC-17(6)Protection Of Mechanism Information
AC-18Wireless Access
AC-19Access Control For Mobile Devices
AC-20Use Of External Systems
AC-20(1)Limits On Authorized Use
AC-20(3)Non-Organizationally Owned Systems -- Restricted Use
AC-21Information Sharing
AC-22Publicly Accessible Content
AC-23Data Mining Protection
AC-24Access Control Decisions
AT — Awareness and Training (12 controls)
AT-1Policy And Procedures
AT-2Literacy Training And Awareness
AT-2(1)Practical Exercises
AT-2(2)Insider Threat
AT-2(3)Social Engineering And Mining
AT-2(4)Suspicious Communications And Anomalous System Behavior
AT-2(5)Advanced Persistent Threat
AT-2(6)Cyber Threat Environment
AT-3Role-Based Training
AT-3(2)Physical Security Controls
AT-3(8)Public sector enterprises should provide specialized counterintelligence awareness training that ...
AT-4Training Records
AU — Audit and Accountability (14 controls)
AU-1Policy And Procedures
AU-2Event Logging
AU-3Content Of Audit Records
AU-6Audit Record Review, Analysis, And Reporting
AU-6(9)Correlation With Information From Nontechnical Sources
AU-10Non-Repudiation
AU-10(1)Association Of Identities
AU-10(2)Validate Binding Of Information Producer Identity
AU-10(3)Chain Of Custody
AU-12Audit Record Generation
AU-13Monitoring For Information Disclosure
AU-14Session Audit
AU-16Cross-Organizational Audit Logging
AU-16(2)Sharing Of Audit Information
CA — Assessment, Authorization, and Monitoring (9 controls)
CM — Configuration Management (42 controls)
CM-1Policy And Procedures
CM-2Baseline Configuration
CM-2(6)Development And Test Environments
CM-3Configuration Change Control
CM-3(1)Automated Documentation, Notification, And Prohibition Of Changes
CM-3(2)Testing, Validation, And Documentation Of Changes
CM-3(4)Security And Privacy Representatives
CM-3(8)Prevent Or Restrict Configuration Changes
CM-4Impact Analyses
CM-4(1)Separate Test Environments
CM-5Access Restrictions For Change
CM-5(1)Automated Access Enforcement And Audit Records
CM-5(6)Limit Library Privileges
CM-6Configuration Settings
CM-6(1)Automated Management, Application, And Verification
CM-6(2)Respond To Unauthorized Changes
CM-7Least Functionality
CM-7(1)Periodic Review
CM-7(4)Unauthorized Software -- Deny-By-Exception
CM-7(5)Authorized Software -- Allow-By-Exception
CM-7(6)Confined Environments With Limited Privileges
CM-7(7)Code Execution In Protected Environments
CM-7(8)Binary Or Machine Executable Code
CM-7(9)Prohibiting The Use Of Unauthorized Hardware
CM-8System Component Inventory
CM-8(1)Updates During Installation And Removal
CM-8(2)Automated Maintenance
CM-8(4)Accountability Information
CM-8(6)Assessed Configurations And Approved Deviations
CM-8(7)Centralized Repository
CM-8(8)Automated Location Tracking
CM-8(9)Assignment Of Components To Systems
CM-8(10)If an enterprise uses an open source project that does not have an SBOM and the enterprise requir...
CM-9Configuration Management Plan
CM-9(1)Assignment Of Responsibility
CM-10Software Usage Restrictions
CM-10(1)Open-Source Software
CM-11User-Installed Software
CM-12Information Location
CM-12(1)Automated Tools To Support Information Location
CM-13Data Action Mapping
CM-14Signed Components
CP — Contingency Planning (16 controls)
CP-1Policy And Procedures
CP-2Contingency Plan
CP-2(1)Coordinate With Related Plans
CP-2(2)Capacity Planning
CP-2(7)Coordinate With External Service Providers
CP-2(8)Identify Critical Assets
CP-3Contingency Training
CP-3(1)Simulated Events
CP-4Contingency Plan Testing
CP-6Alternate Storage Site
CP-6(1)Separation From Primary Site
CP-7Alternate Processing Site
CP-8Telecommunications Services
CP-8(3)Separation Of Primary And Alternate Providers
CP-8(4)Provider Contingency Plan
CP-11Alternate Communications Protocols
IA — Identification and Authentication (10 controls)
IA-1Policy And Procedures
IA-2Identification And Authentication (Organizational Users)
IA-3Device Identification And Authentication
IA-4Identifier Management
IA-4(6)Cross-Organization Management
IA-5Authenticator Management
IA-5(5)Change Authenticators Prior To Delivery
IA-5(9)Federated Credential Management
IA-8Identification And Authentication (Non-Organizational Users)
IA-9Service Identification And Authentication
IR — Incident Response (16 controls)
IR-1Policy And Procedures
IR-1(1)Enterprises should ensure that their incident response policies and procedures provide guidance o...
IR-2Incident Response Training
IR-3Incident Response Testing
IR-4Incident Handling
IR-4(6)Insider Threats
IR-4(7)Insider Threats -- Intra-Organization Coordination
IR-4(10)Supply Chain Coordination
IR-4(11)Integrated Incident Response Team
IR-5Incident Monitoring
IR-6Incident Reporting
IR-6(3)Supply Chain Coordination
IR-7Incident Response Assistance
IR-7(2)Coordination With External Providers
IR-8Incident Response Plan
IR-9Information Spillage Response
MA — Maintenance (14 controls)
MA-1Policy And Procedures
MA-2Controlled Maintenance
MA-2(2)Automated Maintenance Activities
MA-3Maintenance Tools
MA-3(1)Inspect Tools
MA-3(2)Inspect Media
MA-3(3)Prevent Unauthorized Removal
MA-4Nonlocal Maintenance
MA-4(3)Comparable Security And Sanitization
MA-5Maintenance Personnel
MA-5(4)Foreign Nationals
MA-6Timely Maintenance
MA-7Field Maintenance
MA-8Tracking the failure rates of components provides useful information to the acquirer to help plan...
MP — Media Protection (4 controls)
PE — Physical and Environmental Protection (13 controls)
PE-1Policy And Procedures
PE-2Physical Access Authorizations
PE-2(1)Access By Position Or Role
PE-3Physical Access Control
PE-3(1)System Access
PE-3(2)Facility And Systems
PE-3(5)Tamper Protection
PE-6Monitoring Physical Access
PE-16Delivery And Removal
PE-17Alternate Work Site
PE-18Location Of System Components
PE-20Asset Monitoring And Tracking
PE-23Facility Location
PL — Planning (8 controls)
PM — Program Management (30 controls)
PM-2Information Security Program Leadership Role
PM-3Information Security And Privacy Resources
PM-4Plan Of Action And Milestones Process
PM-5System Inventory
PM-6Measures Of Performance
PM-7Enterprise Architecture
PM-8Critical Infrastructure Plan
PM-9Risk Management Strategy
PM-10Authorization Process
PM-11Mission And Business Process Definition
PM-12Insider Threat Program
PM-13Security And Privacy Workforce
PM-14Testing, Training, And Monitoring
PM-15Security And Privacy Groups And Associations
PM-16Threat Awareness Program
PM-17Protecting Controlled Unclassified Information On External Systems
PM-18Privacy Program Plan
PM-19Privacy Program Leadership Role
PM-20Dissemination Of Privacy Program Information
PM-21Accounting Of Disclosures
PM-22Personally Identifiable Information Quality Management
PM-23Data Governance Body
PM-25Minimization Of Personally Identifiable Information Used In Testing, Training, And Research
PM-26Complaint Management
PM-27Privacy Reporting
PM-28Risk Framing
PM-29Risk Management Program Leadership Roles
PM-30Supply Chain Risk Management Strategy
PM-31Continuous Monitoring Strategy
PM-32Purposing
PS — Personnel Security (4 controls)
PT — PII Processing and Transparency (1 controls)
RA — Risk Assessment (9 controls)
SA — System and Services Acquisition (26 controls)
SA-1Policy And Procedures
SA-2Allocation Of Resources
SA-3System Development Life Cycle
SA-4Acquisition Process
SA-4(5)System, Component, And Service Configurations
SA-4(7)Niap-Approved Protection Profiles
SA-4(8)Continuous Monitoring Plan For Controls
SA-5System Documentation
SA-8Security And Privacy Engineering Principles
SA-9External System Services
SA-9(1)Risk Assessments And Organizational Approvals
SA-9(3)Establish And Maintain Trust Relationship With Providers
SA-9(4)Consistent Interests Of Consumers And Providers
SA-9(5)Processing, Storage, And Service Location
SA-10Developer Configuration Management
SA-11Developer Testing And Evaluation
SA-15Development Process, Standards, And Tools
SA-15(3)Criticality Analysis
SA-15(4)Threat Modeling And Vulnerability Analysis
SA-15(8)Reuse Of Threat And Vulnerability Information
SA-16Developer-Provided Training
SA-17Developer Security And Privacy Architecture And Design
SA-20Customized Development Of Critical Components
SA-21Developer Screening
SA-21(1)Validation Of Screening
SA-22Unsupported System Components
SC — System and Communications Protection (24 controls)
SC-1Policy And Procedures
SC-4Information In Shared System Resources
SC-5Denial-Of-Service Protection
SC-5(2)Capacity, Bandwidth, And Redundancy
SC-7Boundary Protection
SC-7(13)Isolation Of Security Tools, Mechanisms, And Support Components
SC-7(14)Protect Against Unauthorized Physical Connections
SC-7(19)Block Communication From Non-Organizationally Configured Hosts
SC-8Transmission Confidentiality And Integrity
SC-18Mobile Code
SC-18(2)Acquisition, Development, And Use
SC-27Platform-Independent Applications
SC-28Protection Of Information At Rest
SC-29Heterogeneity
SC-30Concealment And Misdirection
SC-30(2)Randomness
SC-30(3)Change Processing And Storage Locations
SC-30(4)Misleading Information
SC-30(5)Concealment Of System Components
SC-36Distributed Processing And Storage
SC-37Out-Of-Band Channels
SC-37(1)Ensure Delivery And Transmission
SC-38Operations Security
SC-47Alternate Communications Paths
SI — System and Information Integrity (13 controls)
SI-1Policy And Procedures
SI-2Flaw Remediation
SI-2(5)Automatic Software And Firmware Updates
SI-3Malicious Code Protection
SI-4System Monitoring
SI-4(17)Integrated Situational Awareness
SI-4(19)Risk For Individuals
SI-5Security Alerts, Advisories, And Directives
SI-7Software, Firmware, And Information Integrity
SI-7(14)Binary Or Machine Executable Code
SI-7(15)Code Authentication
SI-12Information Management And Retention
SI-20Tainting
SR — Supply Chain Risk Management (18 controls)
SR-1Policy And Procedures
SR-2Supply Chain Risk Management Plan
SR-3Supply Chain Controls And Processes
SR-3(1)Diverse Supply Base
SR-3(3)Sub-Tier Flow Down
SR-4Provenance
SR-5Acquisition Strategies, Tools, And Methods
SR-6Supplier Assessments And Reviews
SR-7Supply Chain Operations Security
SR-8Notification Agreements
SR-9Tamper Resistance And Detection
SR-10Inspection Of Systems Or Components
SR-11Component Authenticity
SR-11(1)Anti-Counterfeit Training
SR-11(2)Configuration Control For Component Service And Repair
SR-11(3)Anti-Counterfeit Scanning
SR-12Component Disposal
SR-13a