Meeting NIST 800-53, NIST 800-161 and NIST CSF Third-Party Risk Requirements

Meeting NIST SP 800-53r5 and NIST 800-161r1 Supply Chain Cybersecurity Guidance Using the Prevalent Platform

Prevalent can help address the third-party requirements in NIST SP 800-53r5 Security and Privacy Controls for Federal Information Systems and Organizations as well as the NIST 800-161r1 Cybersecurity Supply Chain Risk Management Practices with an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements.

With the Prevalent Third-Party Risk Management Platform, you can:

• Continuously track and analyze externally observable threats to vendors and other third parties and complement and validate vendor-reported security control data to accommodate CA-2 (1) Control Assessments | Specialized Assessments, CA-2 (3) Control Assessments | Leveraging Results from External Organizations, and SA-4 (7) System Monitoring | Integrated Situational Awareness.
• Reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases to accommodate CA-7 (3) Continuous Monitoring | Trend Analysis, PM-16 Threat Awareness Program, PM-31 Continuous Monitoring Strategy, SA-4 (3) Acquisition Process | Continuous Monitoring Plan for Controls, and SI-5 Security Alerts, Advisories and Directives.
• Rapidly identify and mitigate the impact of supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance to accommodate CP-2 (7) Contingency Plan | Coordinate with External Service Providers, IR-4 (3) Incident Handling | Supply Chain Coordination, IR-6 (1) Incident Reporting | Supply Chain Coordination and IR-8 Incident Response Plan.
• Automate contract lifecycle management to ensure that key contract clauses for incident response are in place, and that service levels and response times are managed to accommodate IR-5 Incident Monitoring and SR-8 Notification Agreements.
• Assess supply chain partner controls using more than 200 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework to accommodate CA-2 (3) Security Assessments | External Organizations, RA-1 Policy and Procedures, RA-3 Risk Assessment, RA-7 Risk Response and SR-6 Supplier Assessments and Reviews.
• Categorize and tier all suppliers using multiple criteria to accommodate RA-9 Criticality Analysis and SR-13 Supplier Inventory.
• Provide instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information to accommodate SA-9 Acquisition Process and SR-5 Acquisition Strategies, Tools, and Methods.
• Define and document your TPRM program to accommodate SR-1 Policies and Procedures and SR-3 Supply Chain Controls and Processes.
• Continually improve your TPRM program and ensure it is agile and flexible to accommodate SR-2 Supply Chain Risk Management Plan.

Meeting NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 Third-Party Requirements

With the Prevalent Third-Party Risk Management Platform, you can:

• Define and document your third-party risk management program with expert professional services. Obtain a clear plan that accounts for your specific needs while incorporating best practices for end-to-end TPRM to address Supply Chain Risk Management (ID.SC-1).
• Onboard, profile, tier and score inherent risks across all third parties as a critical first step in the onboarding and prioritization stages of the vendor lifecycle to address Supply Chain Risk Management (ID.SC-2).
• Use dedicated and custom contract assessment questionnaires to enable comprehensive reviews by identifying potential breaches of contract and other risks. Customizable surveys make it easy to gather and analyze necessary performance and contract data in a single risk register to address Supply Chain Risk Management (ID.SC-3).
• Use a comprehensive solution to address all information security topics as they pertain to supply chain partner security controls to address Supply Chain Risk Management (ID.SC-4).
• Identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting proactive event assessments, scoring identified risks, and accessing remediation guidance to address Supply Chain Risk Management (ID.SC-5).

Next Steps for NIST Compliance

NIST requires robust management and tracking of third-party supply chain security risk. SP 800-53r5, SP 800-161r1 and CSF v1.1 specify that:

• a policy for managing risk should be in place
• security controls should be selected
• a policy should be codified in supplier agreements where appropriate
• suppliers should be assessed, managed and audited to the requirements and controls

Prevalent delivers a unified platform with NIST compliance capabilities that enable you to effectively audit supplier security controls. For a complete listing of the NIST supply chain risk management requirements and how Prevalent capabilities map, read The NIST Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.