NIST - National Institute of Standards and Technology

06/30/2026 | Press release | Archived content

Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

Published
June 30, 2026

Author(s)

Jeremy Licata, Rebecca McWhite, Laura Calloway, Meghan Anderson, Julie Snyder, Dylan Gilbert, Jeremy Miller

Abstract

The system security plan, system privacy plan, and cybersecurity supply chain risk management plan are collectively referred to as system plans. They describe the purpose of the system, the operational status of the controls selected and allocated for meeting risk management requirements, and the responsibilities and expected behavior of all individuals who manage, support, and access the system. This publication identifies essential elements of system plans from security, privacy, and cybersecurity supply chain risk management perspectives to promote consistent information collection across the organization, regardless of the system's mission or business function.
Citation
Special Publication (NIST SP) - 800-18r2
Report Number
800-18r2
Pub Type
NIST Pubs

Keywords

authorization boundary, authorizing official, common control authorization, control implementation details, cybersecurity supply chain risk management plan, privacy plan, privacy risk management, risk management framework, security plan, security risk management, authorization to operate, authorization to use, authorizing official designated representative, CASES Act, control implementation, controls, FASCSA, FISMA, ongoing authorization, Privacy Act, supply chain, supply chain risk management, system privacy plan, system security plan, system owner

Citation

Licata, J. , McWhite, R. , Calloway, L. , Anderson, M. , Snyder, J. , Gilbert, D. and Miller, J. (2026), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-18r2, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=962039 (Accessed July 2, 2026)
Additional citation formats

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

NIST - National Institute of Standards and Technology published this content on June 30, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 03, 2026 at 03:48 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]