Editor’s Note: In this week’s edition of our blog series, "Third-Party Risk Management: How to Stay Off the Regulatory Radar," we take a look at NIST Special Publication 800-53r4 and the NIST Framework for Improving Critical Infrastructure (CSF) v1.1 and their associated third-party recommendations. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.
The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organizations consider compliance with these standards and guidelines to be a top priority.
NIST’s Special Publication (SP) 800 series presents information of interest to the computer security community. The NIST Cybersecurity Framework v1.1 acknowledges that specific controls and processes are covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses.
Two NIST Frameworks Addressing Third-party Risk
NIST SP 800-53 is a regulatory document, encompassing the processes and controls needed for a government-affiliated entity to comply with the FIPS 200 certification. This post focuses on revision 4, chapter 2.5 External Service Providers. The risk framework in SP 800-53r4 consists of the following:
- Step 1: Categorize
- Step 2: Select the applicable security control baseline
- Step 3: Implement the security controls
- Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
- Step 5: Authorize information system operation
- Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness
An organizational assessment of risk validates the initial security control selection and determines if additional controls are needed to protect organizational operations. The resulting set of security controls establishes a level of security due diligence for the organization.
NIST devotes an entire section of the document, "Section 2.5: External Service Providers," to discussing third-party risk. Risk is addressed by incorporating the Risk Management Framework (RMF) as part of the terms and conditions of the contracts with external providers. Organizations can require external providers to implement all steps in the RMF. In other words, assessments need to be conducted for each external service provider, risks mitigated, and ongoing monitoring performed throughout the contract period.
The NIST Cybersecurity Framework v1.1 document is divided into the framework core, the implementation tiers, and the framework profile. The framework core describes five functions of an information security program: identify, protect, detect, respond, and recover. For organizations looking to establish or improve a cybersecurity program, this framework follows similar steps to that of NIST SP 800-53r4. Section 3.3, Communicating Cybersecurity Requirements with Stakeholders, explains how to use the framework to manage supply chain risk. Activities include:
- Determining cybersecurity requirements for suppliers
- Enacting cybersecurity requirements through formal agreement (e.g., contracts)
- Communicating to suppliers how those cybersecurity requirements will be verified and validated
- Verifying that cybersecurity requirements are met through a variety of assessment methodologies
- Governing and managing the above activities
For organizations worried about cyber threats, supply chain risk management is an important piece in NIST standards and frameworks.
Meeting NIST SP 800-53r4 Third-Party Guidance Using the Prevalent Platform
Prevalent can help address the third-party requirements in NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations with an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. These requirements include those covered by "Chapter 2.5: External Service Providers," which indicates that service providers must meet the same security requirements as the federal agencies that they serve. It also specifies that organization must require external providers to implement all steps in the NIST Risk Management Framework.
Meeting NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 Third-Party Requirements
With the Prevalent Third-Party Risk Management Platform, you can:
- Assess third parties to determine compliance with internal controls standards to address Supply Chain Risk Management (ID.SC-2), which requires the identification, prioritization and assessment of third-party partners and suppliers of information systems, components and services via a cyber supply chain risk assessment process
- Implement customized questionnaires that verify vendors are meeting the detailed requirements of the contract to accommodate Supply Chain Risk Management (ID.SC-3)
- Deliver risk-based reporting to satisfy audit and compliance requirements to address Supply Chain Risk Management (ID.SC-4)
- Get detailed remediation guidance to mitigate risks identified during the vendor assessment to address Supply Chain Risk Management (ID.SC-5)
NIST requires robust management and tracking of third-party supply chain security risk. Both the SP 800-53r4 and CSF v1.1 specify that a policy for managing risk should be in place; security controls should be selected; a policy should be codified in supplier agreements where appropriate; and suppliers should be managed and audited to the requirements and controls. Prevalent delivers a unified platform that can help effectively audit supplier security controls to ensure compliance.