The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. NIST's responsibilities include establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST publishes and maintains key resources for managing cybersecurity risks applicable to any company, many private sector organizations consider compliance with these standards and guidelines to be a top priority.
Several NIST special publications have specific controls that require organizations to establish and implement the processes to identify, assess and manage supply chain risk. These NIST special publications include:
Because NIST guidelines complement one another, organizations that standardize on one special publication and cross-map to the others – in effect meeting multiple requirements using a single framework. The Prevalent Third-Party Risk Management Platform can be used to meet NIST requirements for stronger supply chain security.
Assess if security controls are implemented correctly, operating as intended, and meeting requirements
Monitor security controls on an ongoing basis to determine their effectiveness
Determine cybersecurity requirements for suppliers
Enact cybersecurity requirements through formal agreements (e.g., contracts)
Communicate to suppliers how cybersecurity requirements will be verified and validated
Verify that cybersecurity requirements are met through assessment methodologies
The NIST Third-Party Compliance Checklist
The NIST Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in NIST SP 800-53, NIST SP 800-161, and NIST CSF.
NIST SP 800-53r5 and SP 800-161r1 TPRM Controls Cross-Mapping
The below summary tables maps capabilities available in the Prevalent Third-Party Risk Management Platform to select third-party, vendor, or supplier controls present in SP 800-53, with SP 800-161 cross-mapping.
SP 800-53 r5 Control Number with SP 800-161r1 Cross-Mapping | How We Help |
---|---|
SP 800 53 Control with SP 800-161 Overlay
|
The Prevalent Third-Party Risk Management Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that automatically maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls. Prevalent Vendor Threat Monitor (VTM) continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities. It also correlates assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response. With the Prevalent Platform, you can efficiently communicate with vendors and coordinate remediation efforts. Capture and audit conversations; record estimated completion dates; accept or reject submissions on an answer-by-answer basis; assign tasks based on risks, documents or entities; and match documentation and evidence to risks. |
SP 800 53 Control with SP 800-161 Overlay
|
Prevalent VTM reveals third-party cyber incidents for 550,000 actively tracked companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases. Prevalent then normalizes, correlates and analyzes information from across multiple inputs, including inside-out risk assessments and outside-in monitoring from Prevalent Vendor Threat Monitor and BitSight. This unified model provides context, quantification, management and remediation support. |
SP 800 53 Control with SP 800-161 Overlay
|
The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact of supply chain breaches by centrally managing vendors, proactively conducting event assessments, scoring identified risks, and accessing remediation guidance. The Prevalent Platform includes unified capabilities for assessing, analyzing and addressing weaknesses in supplier business resilience plans. This enables you to proactively work with your supplier community to prepare for pandemics, environmental disasters, and other potential crises. In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals. All risk intelligence is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
SP 800 53 Control with SP 800-161 Overlay
|
The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, proactively conducting event assessments, scoring identified risks, and accessing remediation guidance. The Prevalent Platform includes unified capabilities for assessing, analyzing and addressing weaknesses in supplier business resilience plans. This enables you to proactively work with your supplier community to prepare for pandemics, environmental disasters, and other potential crises. In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals. All risk intelligence is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
SP 800 53 Control with SP 800-161 Overlay
|
Prevalent Contract Essentials is a SaaS solution that centralizes the distribution, discussion, retention, and review of vendor contracts. It also includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With Contract Essentials, your procurement and legal teams have a single solution to ensure that key contract clauses are in place, and that service levels and response times are managed. |
SP 800 53 Control with SP 800-161 Overlay
|
All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
SP 800 53 Control with SP 800-161 Overlay
|
The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance. The Incident Response Services provides the foundation to be well prepared for board and executive questions regarding the impact of supply chain incidents; and demonstrate proof of your third-party breach response plan with auditors and regulators. |
SP 800 53 Control with SP 800-161 Overlay
|
Prevalent VTM reveals third-party cyber incidents for 550,000 actively tracked companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases. Prevalent then normalizes, correlates and analyzes information from across multiple inputs, including inside-out risk assessments and outside-in monitoring from Prevalent Vendor Threat Monitor and BitSight. This unified model provides context, quantification, management and remediation support. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
SP 800 53 Control with SP 800-161 Overlay
|
Prevalent VTM reveals third-party cyber incidents for 550,000 actively tracked companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases. Prevalent then normalizes, correlates and analyzes information from across multiple inputs, including inside-out risk assessments and outside-in monitoring from Prevalent Vendor Threat Monitor and BitSight. This unified model provides context, quantification, management and remediation support. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
SP 800 53 Control with SP 800-161 Overlay
|
The Prevalent Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls. With the Prevalent Platform, you can automatically generate a risk register upon survey completion, ensuring that the entire risk profile (or a role-specific version) can be viewed in the centralized, real-time reporting dashboard – and reports can be downloaded and exported to determine compliance status. This filters out unnecessary noise and zeroes in on areas of possible concern, providing visibility and trending to measure program effectiveness. Then, you can take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance. |
SP 800 53 Control with SP 800-161 Overlay
|
The Prevalent Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls. Prevalent offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform also provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
SP 800 53 Control with SP 800-161 Overlay
|
The Prevalent Platform features built-in guidance to remediate control failures or other identified risks to levels acceptable level to your organization. Prevalent also enables risk assessors to communicate with third parties about remediations, document conversations and updates, and store supporting control documentation in a centralized repository. |
SP 800 53 Control with SP 800-161 Overlay
|
Prevalent offers an inherent risk assessment questionnaire with clear scoring based on eight criteria to capture, track and quantify risks for all third parties. The assessment criteria includes:
Using the inherent risk assessment, you can automatically tier suppliers, set appropriate levels of further diligence, and determine the scope of subsequent, periodic assessments. Rule-based tiering logic enables suppliers to be categorized based on a range of data interaction, financial, regulatory and reputational considerations. |
SP 800 53 Control with SP 800-161 Overlay
|
In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform also provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
SP 800 53 Control with SP 800-161 Overlay
|
Prevalent VTM continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities — and correlating assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
SP 800 53 Control with SP 800-161 Overlay
|
Prevalent VTM continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities — and correlating assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact. |
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
SP 800-53 r5 Supply Chain Risk Management (SR) Control
The below table includes an extract of the SP 800-53 r5 Supply Chain Risk Management control and how the Prevalent Platform addresses the requirements. For a complete mapping, please download the full NIST Guidance.
SP 800-53 r5 Supply Chain Risk Management (SR) Control | How We Help |
---|---|
SR-1 Policy and Procedures |
Prevalent Program Design Services define and document your third-party risk management program. You get a clear plan that accounts for your specific needs while incorporating best practices for end-to-end TPRM. |
SR-2 Supply Chain Risk Management Plan |
Prevalent Program Optimization Services help you to continually improve your Prevalent Platform deployment, ensuring that your TPRM program maintains the flexibility and agility it needs to meet evolving business and regulatory requirements. |
SR-3 Supply Chain Controls and Processes |
Prevalent Program Design Services define and document your third-party risk management program. You get a clear plan that accounts for your specific needs while incorporating best practices for end-to-end TPRM. |
SR-5 Acquisition Strategies, Tools, and Methods |
Prevalent helps procurement teams reduce cost, complexity and risk exposure during vendor selection. Our RFx Essentials solution provides centralized distribution, comparison, and management of RFPs and RFIs. It also helps you get ahead of potential supplier risks with demographic, 4th-party, and ESG scores – plus optional business, reputational, and financial risk insights. As a result, you’re able to take an important first step toward tackling risk in the third-party lifecycle. Once supplier selection is complete, Prevalent Contract Essentials centralizes the distribution, discussion, retention, and review of vendor contracts. It also includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With Contract Essentials, procurement and legal teams have a single solution to manage vendor contracts, simplify management and review, and reduce cost and risk. |
SR-6 Supplier Assessments and Reviews |
The Prevalent Platform includes more than 600 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner and business resilience security controls. Prevalent Vendor Threat Monitor continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities — and correlating assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response. |
SR-8 Notification Agreements |
With the Prevalent Platform, you can collaborate on documents, agreements and certifications, such as NDAs, SLAs, SOWs and contracts, with built-in version control, task assignment and auto-review cadences. You can also manage all documents throughout the vendor lifecycle in centralized vendor profiles. |
SR-13 Supplier Inventory |
Prevalent offers an inherent risk assessment questionnaire with clear scoring based on eight criteria to capture, track and quantify risks for all third parties. Assessment criteria include:
Using the inherent risk assessment, you can automatically tier suppliers, set appropriate levels of further diligence, and determine the scope of subsequent, periodic assessments. Rule-based tiering logic enables suppliers to be categorized based on a range of data interaction, financial, regulatory and reputational considerations. |
Align Your TPRM Program with NIST CSF 2.0
Read the Third-Party Compliance Checklist for NIST Cybersecurity Framework 2.0 to assess your third-party risk management program against the latest C-SCRM guidelines.
NIST Cybersecurity Framework (CSF) v2.0 and Third-Party Risk Management
The table below includes a breakout of the supply chain-specific controls in the Govern Function in the Cybersecurity Framework v2.0 and how Prevalent helps address them. For a complete understanding of the Framework, please download the complete NIST CSF.
Function, Category & Subcategory | Best Practices |
---|---|
GOVERN (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored |
|
Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders |
|
GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders |
Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management and compliance programs. |
GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes |
Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management and compliance programs. Seek out experts to collaborate with your team on:
As part of this process, you should define:
|
GV.SC-04: Suppliers are known and prioritized by criticality |
Centralize your third-party inventory in a software solution. Then, quantify inherent risks for all third parties. Criteria used to calculate inherent risk for third-party prioritization should include:
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic should enable vendor categorization using a range of data interaction, financial, regulatory and reputational considerations. |
GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties |
Centralize the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities should include:
With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly. |
GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships |
Centralize and automate the distribution, comparison and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables comparison on key attributes. As all service providers are being centralized and reviewed, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance. This level of due diligence creates greater context for making vendor selection decisions. |
GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship |
Look for solutions that feature a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes. Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle. Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors. As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives. Be sure to incorporate third-party operational, reputational and financial data to add context to cyber findings and measure the impact of incidents over time. |
GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities |
As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Look for managed services where dedicated experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate risks with continuous cyber monitoring intelligence; and issue remediation guidance. Managed services can greatly reduce the time required to identify vendors impacted by a cybersecurity incident and ensure that remediations are in place. Key capabilities in a third-party incident response service should include:
Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging experts. |
GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle |
Please see GV.SC-01 and GV.SC-02. |
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement |
Building on the best practices recommended for GV.SC-05, automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.
|
NIST has authored several industry standards that deal with identifying, assessing and managing supply chain risk...
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
Bring your TPRM program into alignment with NIST SP 800-53, SP 800-161 and CSF.