NIST - National Institute of Standards and Technology

07/08/2026 | Press release | Distributed by Public on 07/09/2026 03:19

NIST Cybersecurity Supply Chain Management: Due Diligence Assessment Quick-Start Guide

Published
July 8, 2026

Author(s)

Jon Boyens, Rebecca McWhite, Laura Calloway

Abstract

Due diligence research is the investigative process of researching all available, pertinent information about a given supplier or product so that informed decisions can be made on new acquisitions or existing systems. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program management capabilities with considerations for creating due diligence supply chain risk assessments in accordance with NIST Special Publication (SP) 800-161 (Revision 1). Due diligence supplier assessments can be applied to any type of supplier, but this Quick-Start Guide is scoped to information and communications technology (ICT) suppliers. The components of a Due Diligence Assessment are Foreign Ownership, Control, or Influence (FOCI); Provenance; Resilience; Foundational Cyber Practices; and Supply Chain Tiers.
Citation
Special Publication (NIST SP) - 1326
Report Number
1326
Pub Type
NIST Pubs

Keywords

due diligence, C-SCRM, cybersecurity supply chain risk management

Citation

Boyens, J. , McWhite, R. and Calloway, L. (2026), NIST Cybersecurity Supply Chain Management: Due Diligence Assessment Quick-Start Guide, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.1326, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=961156 (Accessed July 9, 2026)
Additional citation formats

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

NIST - National Institute of Standards and Technology published this content on July 08, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 09, 2026 at 09:19 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]