Meeting NIST 800-53, NIST 800-161 and NIST CSF Third-Party Risk Requirements

NIST has authored several industry standards that deal with identifying, assessing and managing supply chain risk. Here's an overview of a few NIST guidelines pertaining to third-party risk and how Prevalent can help.
By:
Scott Lang
,
VP, Product Marketing
June 23, 2022
Share:
Blog compliance nist nov 2019

The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. NIST's responsibilities include establishing computer and information technology-related standards and guidelines for federal agencies. However, because NIST publishes and maintains key resources for managing cybersecurity risks applicable to any company, many private sector organizations consider compliance with these standards and guidelines to be a top priority.

Several NIST special publications have specific controls that require organizations to establish and implement processes to identify, assess and manage supply chain risk. These NIST special publications include:

Because NIST guidelines complement one another, organizations that standardize on one special publication can cross-map to the others – in effect meeting multiple requirements using a single framework. The Prevalent Third-Party Risk Management Platform can be used to meet NIST requirements for stronger supply chain security.

This post explains each NIST special publication and maps Prevalent capabilities into those frameworks.

Supply Chain Risk Management Controls in SP 800-53 Rev. 5

Supply chain security and data privacy controls have evolved as SP 800-53 has been revised. For example, in SP 800-53 Rev. 4 Supply Chain Protection was covered under a wider System & Service Acquisition control group. This single control addressed the need to identify vulnerabilities throughout an information system’s lifecycle, and to respond through strategy and controls. It encouraged organizations to acquire and procure third-party solutions to implement security safeguards. It also required organizations to review and assess suppliers and their products prior to engagement for broader supply chain visibility.

Acknowledging the increasing number of third-party supplier-related data breaches and other security events, SP 800-53 Rev. 5 expands and refines the supply chain security and privacy guidelines by establishing an entirely new control group, SR-Supply Chain Risk Management. It also requires organizations to develop and plan for managing supply chain risks by:

  • Using formal risk management plans and policies to drive the supply chain management process
  • Emphasizing security and privacy through collaboration in identifying risks and threats, and through the application of security and privacy-based controls
  • Requiring transparency of systems and products (e.g., lifecycle, traceability, and component authenticity)
  • Increasing awareness of the need to pre-assess organizations, and to ensure visibility into issues and breaches

How SP 800-161 Rev. 1 Complements Cybersecurity Supply Chain Risk Management

NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.

Supply Chain Risk Management Requirements in the Cybersecurity Framework v2.0

The Cybersecurity Framework is another NIST publication that applies to third-party risk management and supply chain security. The Framework leverages existing security frameworks, such as CIS, COBIT, ISA, ISO/IEC and NIST, to avoid creating an undue burden on organizations to address requirements. NIST CSF 2.0, released in February 2024, reorganizes supply chain risk management controls under a new Function called Govern. Specific supply chain risk management subcategories identified in the CSF include:

  • GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
  • GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
  • GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
  • GV.SC-04: Suppliers are known and prioritized by criticality
  • GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
  • GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
  • GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
  • GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
  • GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
  • GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

The NIST Third-Party Compliance Checklist

The NIST Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in NIST SP 800-53, NIST SP 800-161, and NIST CSF.

Read Now
Feature nist compliance checklist 1021

Meeting NIST SP 800-53r5 and NIST 800-161r1 Supply Chain Cybersecurity Guidance Using the Prevalent Platform

Prevalent can help address the third-party requirements in NIST SP 800-53r5 Security and Privacy Controls for Federal Information Systems and Organizations as well as the NIST 800-161r1 Cybersecurity Supply Chain Risk Management Practices with an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements.

With the Prevalent Third-Party Risk Management Platform, you can:

  • Continuously track and analyze externally observable threats to vendors and other third parties and complement and validate vendor-reported security control data to accommodate CA-2 (1) Control Assessments | Specialized Assessments, CA-2 (3) Control Assessments | Leveraging Results from External Organizations, and SA-4 (7) System Monitoring | Integrated Situational Awareness.
  • Reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases to accommodate CA-7 (3) Continuous Monitoring | Trend Analysis, PM-16 Threat Awareness Program, PM-31 Continuous Monitoring Strategy, SA-4 (3) Acquisition Process | Continuous Monitoring Plan for Controls, and SI-5 Security Alerts, Advisories and Directives.
  • Rapidly identify and mitigate the impact of supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance to accommodate CP-2 (7) Contingency Plan | Coordinate with External Service Providers, IR-4 (3) Incident Handling | Supply Chain Coordination, IR-6 (1) Incident Reporting | Supply Chain Coordination and IR-8 Incident Response Plan.
  • Automate contract lifecycle management to ensure that key contract clauses for incident response are in place, and that service levels and response times are managed to accommodate IR-5 Incident Monitoring and SR-8 Notification Agreements.
  • Assess supply chain partner controls using more than 750 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework to accommodate CA-2 (3) Security Assessments | External Organizations, RA-1 Policy and Procedures, RA-3 Risk Assessment, RA-7 Risk Response and SR-6 Supplier Assessments and Reviews.
  • Categorize and tier all suppliers using multiple criteria to accommodate RA-9 Criticality Analysis and SR-13 Supplier Inventory.
  • Provide instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information to accommodate SA-9 Acquisition Process and SR-5 Acquisition Strategies, Tools, and Methods.
  • Define and document your TPRM program to accommodate SR-1 Policies and Procedures and SR-3 Supply Chain Controls and Processes.
  • Continually improve your TPRM program and ensure it is agile and flexible to accommodate SR-2 Supply Chain Risk Management Plan.

Meeting NIST Framework for Improving Critical Infrastructure Cybersecurity Framework (CSF) v2.0 Third-Party Requirements

With the Prevalent Third-Party Risk Management Platform, you can:

  • Define and document your third-party risk management program with expert professional services. Obtain a clear plan that accounts for program strategy, roles and responsibilities, and integration into the broader enterprise risk management strategy while incorporating best practices for end-to-end TPRM to address Cybersecurity Supply Chain Risk Management (GV.SC-01, GV.SC-02, GV.SC-03, and GV.SC-09).
  • Centralize, profile, tier and score inherent risks across all third parties as a critical first step in the onboarding and prioritization stages of the vendor lifecycle to address Cybersecurity Supply Chain Risk Management (GV.SC-04).
  • Centralize the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced as part of Cybersecurity Supply Chain Risk Management (GV.SC-05).
  • Centralize and automate the distribution, comparison and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables pre-contract due diligence as part of Cybersecurity Supply Chain Risk Management (GV.SC-06).
  • Use a comprehensive solution to assess and monitor all information security topics as they pertain to supply chain partner security controls to address Cybersecurity Supply Chain Risk Management (GV.SC-07).
  • Identify, respond to, report on, and mitigate the impact of third-party vendor security incidents as part of Cybersecurity Supply Chain Risk Management (GV.SC-08).
  • Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure as part of Cybersecurity Supply Chain Risk Management (GV.SC-10).

Align Your TPRM Program with NIST CSF 2.0

Read the Third-Party Compliance Checklist for NIST Cybersecurity Framework 2.0 to assess your third-party risk management program against the latest C-SCRM guidelines.

Read Now
Featured resource nist csf 2 0

Next Steps for NIST Compliance

NIST requires robust management and tracking of third-party supply chain security risk. SP 800-53r5, SP 800-161r1 and CSF v2.0 specify that:

  • a policy for managing risk should be in place
  • security controls should be selected
  • a policy should be codified in supplier agreements where appropriate
  • suppliers should be assessed, managed and audited to the requirements and controls

Prevalent delivers a unified platform with NIST compliance capabilities that enable you to effectively audit supplier security controls. For a complete listing of the NIST supply chain risk management requirements and how Prevalent capabilities map, read The NIST Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 50+ other regulations, download the Cybersecurity Frameworks Compliance Handbook.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo