feat: add NIST SP 800-161 Cybersecurity Supply Chain Risk Management skill#41
Open
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Open
feat: add NIST SP 800-161 Cybersecurity Supply Chain Risk Management skill#41sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Conversation
…skill PLUGIN: nist-sp-800-161 VERSION: 1.0.0 SOURCE: NIST Special Publication 800-161 Revision 1, May 2022 TITLE: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations CSRC: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final PLUGIN STRUCTURE: plugins/nist-sp-800-161/.claude-plugin/plugin.json plugins/nist-sp-800-161/skills/nist-sp-800-161/SKILL.md plugins/nist-sp-800-161/skills/nist-sp-800-161/references/sr-control-family.md plugins/nist-sp-800-161/skills/nist-sp-800-161/references/supplier-assessment.md plugins/nist-sp-800-161/skills/nist-sp-800-161/references/c-scrm-programme.md FRAMEWORK COVERAGE: 1. C-SCRM definition and scope: full ICT supply chain lifecycle from design through disposal 2. ICT supply chain threats: counterfeit components, tampered products, inferior products, IP theft, malicious code insertion, insecure manufacturing 3. Multi-tier C-SCRM model: Tier 1 (Enterprise), Tier 2 (Mission/Business), Tier 3 (Information System) with supplier tier hierarchy (prime, sub-tier, component manufacturer) 4. C-SCRM programme components: policy, strategy, plan, and controls implementation 5. Critical component identification: 7 sensitivity criteria, critical designation triggers, handling requirements throughout lifecycle 6. SP 800-53 Rev 5 SR control family: all 12 base controls (SR-1 through SR-12) plus all enhancements with baseline assignments and implementation guidance 7. SBOM requirements: NTIA minimum 7 data fields, SPDX and CycloneDX formats, delivery requirements, consumption process with NVD cross-referencing 8. Supplier risk tiering: 7-factor scoring matrix yielding Low/Moderate/High/Critical tier classification 9. Supplier assessments: five assessment types (documentation review, questionnaire, third-party, on-site audit, penetration testing), frequency guidance, unscheduled reassessment triggers 10. Acquisition lifecycle integration: six-phase coverage from requirements definition through disposal with C-SCRM actions per phase 11. C-SCRM contract clauses: 8 model clauses covering flow-down, incident notification, change notification, EOL, authenticity warranties, SBOM delivery, right-to-audit, ownership change 12. Supplier assessment questionnaire: five sections covering security programme, secure development, sub-tier management, incident response, and physical security 13. Provenance documentation: required fields for hardware and software components, SR-4 enhancements (identity, track/trace, validate genuine, pedigree) 14. Component disposal: SR-12 requirements including SP 800-88 sanitisation alignment, anti-counterfeit disposal procedures, certificate of destruction 15. Roles and responsibilities: CIO, SAORM, Chief Acquisition Officer, C-SCRM Programme Manager, ISO, ISSO, Contracting Officer, Legal Counsel 16. C-SCRM metrics: 7 programme-level metrics with measurements and targets REFERENCE FILES: sr-control-family.md: - All SR-1 through SR-12 controls with detailed implementation guidance - All SR control enhancements with descriptions and applicability - SR control baseline assignments (Low/Moderate/High) - Per-control implementation notes addressing scope gaps (cloud, FOSS, COTS) - Hardware and software anti-counterfeiting techniques per SR-11 - Tamper resistance technologies per SR-9 supplier-assessment.md: - 7-factor supplier risk tiering matrix with scoring guide - Abbreviated supplier assessment questionnaire (5 sections, all questions) - 8 model C-SCRM contract clauses with placeholder text ready for legal review - SBOM minimum data fields per NTIA and recommended additional fields - SBOM delivery requirements (format, timing, retention) - SBOM consumption procedure with NVD cross-reference step - Critical Component Identification Worksheet template c-scrm-programme.md: - 7-step C-SCRM programme establishment procedure - C-SCRM Plan template with all 12 required sections - Pre-solicitation C-SCRM checklist (10 items) - Delivery and acceptance procedure for critical/high components - Supply chain incident response procedure (5-step: identify/assess, contain, notify, eradicate/recover, document) - 7 C-SCRM programme metrics with measurements, targets, and reporting levels INTEGRATION POINTS: - SP 800-53 Rev 5: SR control family is defined in this publication; 800-161 provides implementation guidance - SP 800-37 Rev 2 RMF: C-SCRM requirements are incorporated throughout the RMF lifecycle; SR controls appear in system security plans - SP 800-30 Rev 1: supply chain risk assessment follows SP 800-30 risk assessment methodology - SP 800-218 SSDF: secure development requirements for software suppliers align to SSDF practices - EO 14028 (May 2021): SBOM requirements align to EO 14028 Section 4 software supply chain security - FISMA: C-SCRM is a FISMA compliance requirement for federal agencies under OMB Circular A-130 TESTS: test_plugin_json_exists[nist-sp-800-161] PASSED test_plugin_json_is_valid[nist-sp-800-161] PASSED test_plugin_json_required_fields[nist-sp-800-161] PASSED test_plugin_version_semver[nist-sp-800-161] PASSED test_skills_directory_exists[nist-sp-800-161] PASSED test_skills_directory_has_one_skill_folder[nist-sp-800-161] PASSED test_skill_md_exists[nist-sp-800-161] PASSED test_skill_md_not_empty[nist-sp-800-161] PASSED test_no_files_outside_skill_folder[nist-sp-800-161] PASSED test_references_are_markdown[nist-sp-800-161] PASSED 10 passed, 95 deselected
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NIST SP 800-161 Rev 1 — Cybersecurity Supply Chain Risk Management (C-SCRM)
Source Publication: NIST Special Publication 800-161 Revision 1, May 2022
CSRC URL: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
This pull request adds a complete Claude skill plugin for NIST SP 800-161 Rev 1, supporting CIOs, SAORMs, C-SCRM Programme Managers, ISSOs, Contracting Officers, and acquisition professionals implementing cybersecurity supply chain risk management programmes for federal information systems and organisations.
Files Added
Framework Coverage
C-SCRM Scope: Full ICT supply chain lifecycle from design through disposal. Addresses hardware, software, cloud services, SaaS, FOSS, COTS, managed services, and all sub-tier suppliers.
Supply Chain Threats: Six threat categories — counterfeit components, tampered products, inferior and fraudulent products, theft of sensitive information, installation of malicious code, poor manufacturing/development practices.
Multi-Tier Architecture: Three C-SCRM tiers aligned to SP 800-39 — Tier 1 (Enterprise: strategy, risk tolerance, governance), Tier 2 (Mission/Business: programme/project level), Tier 3 (Information System: SR control implementation). Supplier tier hierarchy: prime contractor, sub-tier supplier, component manufacturer.
SR Control Family: All 12 base controls (SR-1 through SR-12) plus all enhancements with baseline assignments (L/M/H) and detailed implementation guidance. Covers provenance, supplier assessments, acquisition strategies, tamper resistance, component authenticity, and disposal.
SBOM: NTIA minimum 7 data fields, SPDX and CycloneDX formats, delivery requirements, consumption procedure with NVD cross-reference, retention guidance. Aligned to EO 14028 software supply chain security requirements.
Supplier Risk Tiering: 7-factor scoring matrix (geography, ownership, prior incidents, certifications, sub-tier visibility, single-source dependency, component sensitivity) yielding Low/Moderate/High/Critical tier classification.
Supplier Assessments: Five assessment types matched to risk tier. Frequency guidance. Triggers for unscheduled reassessment.
Acquisition Lifecycle: C-SCRM requirements mapped to six acquisition phases (requirements definition through disposal). Pre-solicitation checklist, delivery/acceptance procedure, supply chain incident response.
Contract Clauses: Eight model clauses covering security requirements flow-down, incident/vulnerability notification (72 hours), significant change notification, EOL announcement, authenticity warranties, SBOM delivery, right-to-audit, and ownership change notification.
Reference Files
references/sr-control-family.md— Detailed implementation guidance for all SR controls (SR-1 through SR-12) and enhancements. Baseline assignments. Implementation notes addressing cloud, FOSS, and COTS scope. Hardware and software anti-counterfeiting techniques (SR-11). Tamper resistance technologies (SR-9). Provenance documentation fields (SR-4). Component disposal requirements (SR-12).references/supplier-assessment.md— 7-factor supplier risk tiering worksheet with scoring interpretation. Abbreviated supplier assessment questionnaire (5 sections). 8 model C-SCRM contract clauses ready for legal review. SBOM minimum data fields (NTIA), recommended additional fields, format and delivery requirements. SBOM consumption procedure. Critical Component Identification Worksheet template.references/c-scrm-programme.md— 7-step C-SCRM programme establishment procedure. Complete C-SCRM Plan template with all 12 required sections. Pre-solicitation C-SCRM checklist (10 items). Delivery and acceptance procedure for critical/high-risk components. 5-step supply chain incident response procedure (identify/assess, contain, notify, eradicate/recover, document). 7 programme-level C-SCRM metrics with measurements, targets, and reporting levels.Integration Points
Tests