Editor’s Note: In this week’s edition of our blog series, "Third-Party Risk Management: How to Stay Off the Regulatory Radar," we take a look at NIST Special Publication 800-53r4 and the NIST Framework for Improving Critical Infrastructure (CSF) v1.1 and their associated third-party recommendations. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.
The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organizations consider compliance with these standards and guidelines to be a top priority.
NIST’s Special Publication (SP) 800 series presents information of interest to the computer security community. The NIST Cybersecurity Framework v1.1 acknowledges that specific controls and processes are covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses.
NIST SP 800-53 is a regulatory document, encompassing the processes and controls needed for a government-affiliated entity to comply with the FIPS 200 certification. This post focuses on revision 4, chapter 2.5 External Service Providers. The risk framework in SP 800-53r4 consists of the following:
An organizational assessment of risk validates the initial security control selection and determines if additional controls are needed to protect organizational operations. The resulting set of security controls establishes a level of security due diligence for the organization.
NIST devotes an entire section of the document, "Section 2.5: External Service Providers," to discussing third-party risk. Risk is addressed by incorporating the Risk Management Framework (RMF) as part of the terms and conditions of the contracts with external providers. Organizations can require external providers to implement all steps in the RMF. In other words, assessments need to be conducted for each external service provider, risks mitigated, and ongoing monitoring performed throughout the contract period.
The NIST Cybersecurity Framework v1.1 document is divided into the framework core, the implementation tiers, and the framework profile. The framework core describes five functions of an information security program: identify, protect, detect, respond, and recover. For organizations looking to establish or improve a cybersecurity program, this framework follows similar steps to that of NIST SP 800-53r4. Section 3.3, Communicating Cybersecurity Requirements with Stakeholders, explains how to use the framework to manage supply chain risk. Activities include:
For organizations worried about cyber threats, supply chain risk management is an important piece in NIST standards and frameworks.
Prevalent can help address the third-party requirements in NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations with an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. These requirements include those covered by "Chapter 2.5: External Service Providers," which indicates that service providers must meet the same security requirements as the federal agencies that they serve. It also specifies that organization must require external providers to implement all steps in the NIST Risk Management Framework.
With the Prevalent Third-Party Risk Management Platform, you can:
NIST requires robust management and tracking of third-party supply chain security risk. Both the SP 800-53r4 and CSF v1.1 specify that a policy for managing risk should be in place; security controls should be selected; a policy should be codified in supplier agreements where appropriate; and suppliers should be managed and audited to the requirements and controls. Prevalent delivers a unified platform that can help effectively audit supplier security controls to ensure compliance.