Author(s)
Jeremy Licata, Rebecca McWhite, Laura Calloway, Meghan Anderson, Julie Snyder, Dylan Gilbert, Jeremy Miller
Abstract
The system security plan, system privacy plan, and cybersecurity supply chain risk management plan are collectively referred to as system plans. They describe the purpose of the system, the operational status of the controls selected and allocated for meeting risk management requirements, and the responsibilities and expected behavior of all individuals who manage, support, and access the system. This publication identifies essential elements of system plans from security, privacy, and cybersecurity supply chain risk management perspectives to promote consistent information collection across the organization, regardless of the system's mission or business function.
Citation
Special Publication (NIST SP) - 800-18r2
Keywords
authorization boundary, authorizing official, common control authorization, control implementation details, cybersecurity supply chain risk management plan, privacy plan, privacy risk management, risk management framework, security plan, security risk management, authorization to operate, authorization to use, authorizing official designated representative, CASES Act, control implementation, controls, FASCSA, FISMA, ongoing authorization, Privacy Act, supply chain, supply chain risk management, system privacy plan, system security plan, system owner
Citation
Licata, J. , McWhite, R. , Calloway, L. , Anderson, M. , Snyder, J. , Gilbert, D. and Miller, J. (2026), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-18r2, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=962039 (Accessed July 2, 2026)
Additional citation formats
Issues
If you have any questions about this publication or are having problems accessing it, please contact [email protected].