NIST SP 800-161

NIST SP 800-161 overview

The National Institute of Standards and Technology (NIST) SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology (ICT) supply chain risks throughout their organizations. This publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities. The processes and controls described in the publication build on federal agency guidance, and are intended for federal agencies to consider and implement. While entities outside of the federal government may decide to consult NIST SP 800-161 as a source of good practices, the publication doesn't contain any specific guidance for those entities, such as cloud service providers.

Azure and NIST SP 800-161

The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the NIST SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).

The System and Services Acquisition (SA) control family that's part of the NIST SP 800-53 control baseline, provides control coverage for supply chain risk assessments. For example, the SA-12 control is focused specifically on supply chain protection and is included in the FedRAMP High control baseline.

An accredited third-party assessment organization (3PAO) has attested that Azure implementation of the NIST SP 800-53 Rev. 4 supply chain controls, SA-12 and SA-19, is in alignment with the NIST SP 800-161 guidelines. Based on the 3PAO analysis, NIST SP 800-161 maps closely to security controls SA-12 and SA-19, which were tested as part of the Azure Government assessment conducted for the US Department of Defense (DoD). The assessment of SA-12 and SA-19 controls was conducted using NIST SP 800-53A Rev. 4 assessment procedures.

Microsoft’s supply chain processes are implemented at a programmatic level and applicable across the board for all Azure systems. Based on the 3PAO's review of the SA-12 and SA-19 security controls, Microsoft's supply chain best practices are built into the procurement process to prevent and mitigate ICT supply chain risks, such as insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the ICT supply chain. Moreover, Microsoft has implemented anti-counterfeit policies and procedures to detect and prevent counterfeit components from entering the Azure system.

Microsoft Azure also maintains authoritative lists of approved software through its Definitive Software Library (DSL) to ensure that software updates are provisioned only from approved sources. In the event any counterfeit components are detected, Azure follows the standard incident handling and reporting procedures and mechanisms established for security incidents. Using the assessment data, the 3PAO attested that the Azure cloud service offering (CSO) is in compliance with the NIST SP 800-53 Rev. 4 SA-12 and SA-19 security controls, and aligned with NIST SP 800-161 ICT SCRM SA-12 and SA-19 supplemental guidance for federal agencies.

Applicability

• Azure
• Azure Government

Services in scope

• Azure services in scope for NIST SP 800-161 reflect the Azure FedRAMP High P-ATO scope.
• Azure Government services in scope for NIST SP 800-161 reflect the Azure Government FedRAMP High P-ATO scope.

For more information, see Cloud services in audit scope.

Attestation documents

For instructions on how to access attestation documents, see Audit documentation. The following attestation letter is available from the Service Trust Portal (STP) United States Government section:

• Azure Government – Attestation of Compliance with NIST SP 800-161

An accredited third-party assessment organization (3PAO) has attested that Azure implementation of the NIST SP 800-53 Rev. 4 supply chain controls, SA-12 and SA-19, is in alignment with the NIST SP 800-161 guidelines. Based on the 3PAO analysis, NIST SP 800-161 maps closely to security controls SA-12 and SA-19, which were tested as part of the Azure Government assessment conducted for the US Department of Defense (DoD). The assessment of SA-12 and SA-19 controls was conducted using NIST SP 800-53A Rev. 4 assessment procedures.

For access to Azure and Azure Government FedRAMP documentation, see FedRAMP attestation documents.

Frequently asked questions

Can I use Azure NIST SP 800-161 compliance offering for my organization?
Yes. You may use Azure or Azure Government FedRAMP High P-ATO as the foundation for any compliance program that relies on NIST SP 800-53 control requirements, including NIST SP 800-161. Control implementation details are documented in the FedRAMP System Security Plan (SSP). Moreover, you may also benefit from an attestation produced by a 3PAO that Azure Government is in alignment with the NIST SP 800-161 guidance. Microsoft doesn't inspect, approve, or monitor your Azure applications. You're responsible for ensuring that your Azure applications are aligned with NIST SP 800-161 guidelines.

How can I get the Azure NIST SP 800-161 attestation documents?
For links to audit documentation, see Attestation documents.

Does Microsoft have a supply chain assurance program?
Yes. For more information about Microsoft supply chain assurances, see:

• Supplier management overview
• Securing the supply chain with risk-based assessments
• Supplier privacy and assurance standards
• Hardware supply chain
• Secure Supply Chain Consumption Framework (S2C2F)

Should I use Azure or Azure Government for workloads that need to be aligned with NIST SP 800-161?
You're wholly responsible for ensuring your own compliance with all applicable laws and regulations, and should consult your legal advisor for questions regarding regulatory compliance. Azure and Azure Government have the same security controls in place, including the same controls for supply chain risk management. The cloud environment decision will rest with you based on your business requirements. Most US government agencies and their partners are best aligned with Azure Government, which provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• What is Azure Government?
• Explore Azure Government
• Microsoft government solutions
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• NIST SP 800-218 Secure Software Development Framework (SSDF)
• CIS Software Supply Chain Security Guide
• OWASP Software Component Verification Standard
• NSA Enduring Security Framework
• Executive Order 14028: Improving the Nation's Cybersecurity