NIST invites comments on the initial public draft (ipd) of Special Publication (SP) 800-18r2 (Revision 2), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems.
The system security plan, privacy plan, and cybersecurity supply chain risk management plan consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. These system plans serve as a centralized point of reference for information about the system and risk management decisions, including data being created, collected, disseminated, used, stored, and disposed of; the individuals responsible for system risk management efforts; details about the internal and external environments of operation, system components, and data flows; and controls that are planned or in place to manage risks.
The major changes for this revision include:
- Expanded guidance to address the development of system plans within the context of the NIST Risk Management Framework, the NIST Privacy Framework, and SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
- Insights into the development of a consolidated system plan that encompasses security, privacy, and cybersecurity supply chain risk management plan elements
- Updated descriptions of system plan elements
- Considerations for automating the development and maintenance of system plans using information management tools, such as governance, risk, and compliance (GRC) applications
Additionally, the following supplemental materials are available:
- Security Plan Example Outline
- Privacy Plan Example Outline
- C-SCRM Plan Example Outline
- System Plan Related Roles and Responsibilities
The comment period is open through July 30, 2025. See the publication details for a copy of the draft, supplemental files, and a comment template. Commenters are encouraged to use that template and submit feedback to sec-cert@nist.gov with “SP 800-18r2 ipd comments” in the subject.