NIST SP 800-161 (Rev 2)
Supply Chain Risk Management practices for federal systems — the foundation for SBOM and software provenance requirements.
Federal agencies and their suppliers; widely adopted in private sector SCRM programs.
Continuous evidence pipeline available; audit support included for all customers.
What NIST 800-161 actually requires.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Organisation-level SCRM strategy with named roles and escalation paths.
Supplier inventory and tiering by criticality and access.
Supplier security agreements (SLAs, attestation cadence, right-to-audit).
Software Bill of Materials (SBOM) for each acquired component (aligned with EO 14028 §4(e)).
Component integrity verification — signed artifacts, provenance, vulnerability monitoring.
Foreign Ownership, Control or Influence (FOCI) screening for suppliers in sensitive contexts.
Pre-mapped controls. Continuous evidence.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Automatic SBOM generation per build, signed (Sigstore) and stored with full provenance.
Continuous monitoring of every component for new CVEs, KEV inclusion, and EOL events.
Supplier risk scoring with tier classification (T1–T4) and renewal cadence.
FOCI-screening hooks: components flagged when transitive dependencies touch high-risk jurisdictions.
Component integrity attestations (in-toto, SLSA L3) verifiable without trusting Safeguard.
Artifacts your auditor accepts.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Signed SBOMs in CycloneDX or SPDX with VEX (Vulnerability Exploitability eXchange) annotations.
Supplier inventory with tiering and risk score per supplier.
Component provenance graph from source to deployed artifact.
EOL / supplier-discontinuation alerts with replacement recommendations.
One evidence base. Many regulators.
These frameworks share substantial control overlap with NIST 800-161. Customers running one assessment typically satisfy the others with the same evidence base.
FedRAMP HIGH
North America
Federal cloud authorisation for systems handling High-impact CUI and mission data.
CMMC Level 2 / Level 3
North America
Cyber maturity certification for any contractor handling CUI in the US Defense Industrial Base.
NIST SP 800-218 (SSDF)
North America
The Secure Software Development Framework that backs EO 14028, the CISA attestation form, and most modern software supply-chain mandates.
EO 14028
North America
The 2021 Executive Order that introduced SBOM mandates, zero-trust architecture targets, and software vendor attestation requirements.
Ready for NIST 800-161?
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.