Free TPRM tools: Get a free maturity assessment, a free risk report, or business & financial monitoring for 20 vendors!

Meeting NIST 800-53, NIST 800-161 and NIST CSF Third-Party Risk Requirements

NIST has authored several industry standards that deal with identifying, assessing and managing supply chain risk. Here's an overview of a few NIST guidelines pertaining to third-party risk and how Prevalent can help.
By:
Scott Lang
,
VP, Product Marketing
June 22, 2021
Share:
Blog compliance nist nov 2019


The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organizations consider compliance with these standards and guidelines to be a top priority.

NIST’s Special Publication (SP) 800 series presents information of interest to the computer security community. NIST Special Publication (SP) 800-161 is a supplement to SP 800-53 and provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology supply chain risks at all levels of their organizations. The NIST Cybersecurity Framework v1.1 acknowledges that specific controls and processes are covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses.

Three NIST Frameworks Addressing Third-party Risk

NIST SP 800-53

NIST SP 800-53 is a regulatory document, encompassing the processes and controls needed for a government-affiliated entity to comply with the FIPS 200 certification. This post focuses on revision 4, chapter 2.5 External Service Providers. The risk framework in SP 800-53r4 consists of the following:

  • Step 1: Categorize
  • Step 2: Select the applicable security control baseline
  • Step 3: Implement the security controls
  • Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
  • Step 5: Authorize information system operation
  • Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness

An organizational assessment of risk validates the initial security control selection and determines if additional controls are needed to protect organizational operations. The resulting set of security controls establishes a level of security due diligence for the organization.

NIST devotes an entire section of the document, "Section 2.5: External Service Providers," to discussing third-party risk. Risk is addressed by incorporating the Risk Management Framework (RMF) as part of the terms and conditions of the contracts with external providers. Organizations can require external providers to implement all steps in the RMF. In other words, assessments need to be conducted for each external service provider, risks mitigated, and ongoing monitoring performed throughout the contract period.

NIST SP 800-161

NIST SP 800-161 presents an additional layer of supply-chain-specific guidance on top of SP 800-53, introducing a framework of framing, assessing, responding to and monitoring risks inherent in supply chain relationships across 18 control families.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework v1.1 document is divided into the framework core, the implementation tiers, and the framework profile. The framework core describes five functions of an information security program: identify, protect, detect, respond, and recover. For organizations looking to establish or improve a cybersecurity program, this framework follows similar steps to that of NIST SP 800-53r4. Section 3.3, Communicating Cybersecurity Requirements with Stakeholders, explains how to use the framework to manage supply chain risk. Activities include:

  • Determining cybersecurity requirements for suppliers
  • Enacting cybersecurity requirements through formal agreement (e.g., contracts)
  • Communicating to suppliers how those cybersecurity requirements will be verified and validated
  • Verifying that cybersecurity requirements are met through a variety of assessment methodologies
  • Governing and managing the above activities

For organizations concerned about cyber threats, supply chain risk management is an important piece in NIST standards and frameworks.

Satisfying Third-Party Risk Management Compliance Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.

Download the Paper
Featured resource compliance white paper

Meeting NIST SP 800-53r4 Third-Party Guidance

Prevalent can help address the third-party requirements in NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations with an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. These requirements include those covered by "Chapter 2.5: External Service Providers," which indicates that service providers must meet the same security requirements as the federal agencies that they serve. It also specifies that organization must require external providers to implement all steps in the NIST Risk Management Framework.

Meeting NIST SP 800-161 Third-Party Requirements

With the Prevalent Third-Party Risk Management Platform, you can:

  • Continuously track and analyze externally observable threats to vendors and other third parties and complement and validate vendor-reported security control data to accommodate CA-2 (2) Security Assessments | Specialized Assessments
  • Assess supply chain partner controls using more than 75 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework to accommodate CA-2 (3) Security Assessments | External Organizations, RA-1 Risk Assessment Policy and Procedures, and RA-3 Risk Assessment
  • Reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases to accommodate CA-7 (3) Continuous Monitoring | Trend Analysis
  • Rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance to accommodate CP-2 (7) Contingency Plan | Coordinate with External Service Providers and IR-1 (10) Incident Handling | Supply Chain Coordination
  • Leverage a dedicated and custom contract assessment questionnaires to enable comprehensive reviews by identifying potential breaches of contract and other risks; gain visibility into vendor contract status, contact information, risk and compliance status, performance metrics, and more via centralized dashboards; and track resolution of issues throughout the remediation process to show risk reduction progress over time and report against KPIs to accommodate SA-12 (2) Supply Chain Protection | Supplier Reviews
  • Expand intelligence to protect your organization against supply chain threats by incorporating cyber threat intelligence, business reputational insights, financial insights, adverse media, global sanctions, state-owned enterprises, politically exposed persons and breach events to accommodate SA-12 (8) Supply Chain Protection | Use of All Source Intelligence

Meeting NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 Third-Party Requirements

With the Prevalent Third-Party Risk Management Platform, you can:

  • Assess third parties to determine compliance with internal controls standards to address Supply Chain Risk Management (ID.SC-2), which requires the identification, prioritization and assessment of third-party partners and suppliers of information systems, components and services via a cyber supply chain risk assessment process
  • Implement customized questionnaires that verify vendors are meeting the detailed requirements of the contract to accommodate Supply Chain Risk Management (ID.SC-3)
  • Deliver risk-based reporting to satisfy audit and compliance requirements to address Supply Chain Risk Management (ID.SC-4)
  • Get detailed remediation guidance to mitigate risks identified during the vendor assessment to address Supply Chain Risk Management (ID.SC-5)

Next Steps for NIST Compliance

NIST requires robust management and tracking of third-party supply chain security risk. Both the SP 800-53r4, SP 800-161 and CSF v1.1 specify that a policy for managing risk should be in place; security controls should be selected; a policy should be codified in supplier agreements where appropriate; and suppliers should be managed and audited to the requirements and controls. Prevalent delivers a unified platform that can help effectively audit supplier security controls to ensure compliance.

Contact us today for a demo to explain how, read more about our solutions for NIST risk management compliance, or download the full white paper to see how these controls map to the Prevalent platform.

Tags:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo