NIST SP 800-161

NIST SP 800-161 overview

The National Institute of Standards and Technology (NIST) SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology (ICT) supply chain risks throughout their organizations. This publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities. The processes and controls described in the publication build on federal agency guidance, and are intended for federal agencies to consider and implement. While entities outside of the federal government may decide to consult NIST SP 800-161 as a source of good practices, the publication doesn't contain any specific guidance for those entities, such as cloud service providers.

Azure and NIST SP 800-161

The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the NIST SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).

The System and Services Acquisition (SA) control family that's part of the NIST SP 800-53 control baseline, provides control coverage for supply chain risk assessments. For example, the SA-12 control is focused specifically on supply chain protection and is included in the FedRAMP High control baseline.

An accredited third-party assessment organization (3PAO) has attested that Azure implementation of the NIST SP 800-53 Rev. 4 supply chain controls, SA-12 and SA-19, is in alignment with the NIST SP 800-161 guidelines. Based on the 3PAO analysis, NIST SP 800-161 maps closely to security controls SA-12 and SA-19, which were tested as part of the Azure Government assessment conducted for the US Department of Defense (DoD). The assessment of SA-12 and SA-19 controls was conducted using NIST SP 800-53A Rev. 4 assessment procedures.

Microsoft’s supply chain processes are implemented at a programmatic level and applicable across the board for all Azure systems. Based on the 3PAO's review of the SA-12 and SA-19 security controls, Microsoft's supply chain best practices are built into the procurement process to prevent and mitigate ICT supply chain risks, such as insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the ICT supply chain. Moreover, Microsoft has implemented anti-counterfeit policies and procedures to detect and prevent counterfeit components from entering the Azure system.

Microsoft Azure also maintains authoritative lists of approved software through its Definitive Software Library (DSL) to ensure that software updates are provisioned only from approved sources. In the event any counterfeit components are detected, Azure follows the standard incident handling and reporting procedures and mechanisms established for security incidents. Using the assessment data, the 3PAO attested that the Azure cloud service offering (CSO) is in compliance with the NIST SP 800-53 Rev. 4 SA-12 and SA-19 security controls, and aligned with NIST SP 800-161 ICT SCRM SA-12 and SA-19 supplemental guidance for federal agencies.

Applicability

  • Azure
  • Azure Government

Services in scope

  • Azure services in scope for NIST SP 800-161 reflect Azure FedRAMP High scope.
  • Azure Government services in scope for NIST SP 800-161 reflect Azure Government FedRAMP High scope.

Attestation documents

You can request Azure and Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP.

An accredited third-party assessment organization (3PAO) has attested that Azure implementation of the NIST SP 800-53 Rev. 4 supply chain controls, SA-12 and SA-19, is in alignment with the NIST SP 800-161 guidelines. Based on the 3PAO analysis, NIST SP 800-161 maps closely to security controls SA-12 and SA-19, which were tested as part of the Azure Government assessment conducted for the US Department of Defense (DoD). The assessment of SA-12 and SA-19 controls was conducted using NIST SP 800-53A Rev. 4 assessment procedures.

You can access certain audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Microsoft Defender for Cloud > Regulatory compliance > Audit reports or using direct links based on your subscription (sign in required).

You must have an existing subscription or free trial account in Azure or Azure Government to download audit documents. The following documents are available:

Select Azure Government FedRAMP documentation, including System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), and so on, are available under NDA and pending access authorization from the Service Trust Portal Audit Reports – FedRAMP Reports section. Contact your Microsoft account representative for assistance.

Frequently asked questions

Can I use Azure NIST SP 800-161 compliance offering for my organization?
Yes. You may use Azure or Azure Government FedRAMP High P-ATO as the foundation for any compliance program that relies on NIST SP 800-53 control requirements, including NIST SP 800-161. Control implementation details are documented in the FedRAMP System Security Plan (SSP). Moreover, you may also benefit from an attestation produced by a 3PAO that Azure Government is in alignment with the NIST SP 800-161 guidance. Microsoft doesn't inspect, approve, or monitor your Azure applications. You're responsible for ensuring that your Azure applications are aligned with NIST SP 800-161 guidelines.

Where can I get the Azure NIST SP 800-161 attestation documents?
For links to audit documentation, see Attestation documents. You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Does Microsoft have a supply chain assurance program?
Yes. For more information about Microsoft supply chain assurances, see:

Should I use Azure or Azure Government for workloads that need to be aligned with NIST SP 800-161?
You're wholly responsible for ensuring your own compliance with all applicable laws and regulations, and should consult your legal advisor for questions regarding regulatory compliance. Azure and Azure Government have the same security controls in place, including the same controls for supply chain risk management. The cloud environment decision will rest with you based on your business requirements. Most US government agencies and their partners are best aligned with Azure Government, which provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

Resources