The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. NIST's responsibilities include establishing computer and information technology-related standards and guidelines for federal agencies. However, because NIST publishes and maintains key resources for managing cybersecurity risks applicable to any company, many private sector organizations consider compliance with these standards and guidelines to be a top priority.
Several NIST special publications have specific controls that require organizations to establish and implement processes to identify, assess and manage supply chain risk. These NIST special publications include:
- SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
- SP 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- Cybersecurity Framework v1.1: Framework for Improving Critical Infrastructure Cybersecurity
Because NIST guidelines complement one another, organizations that standardize on one special publication can cross-map to the others – in effect meeting multiple requirements using a single framework. The Prevalent Third-Party Risk Management Platform can be used to meet NIST requirements for stronger supply chain security.
This post explains each NIST special publication and maps Prevalent capabilities into those frameworks.
Supply Chain Risk Management Controls in SP 800-53 Rev. 5
Supply chain security and data privacy controls have evolved as SP 800-53 has been revised. For example, in SP 800-53 Rev. 4 Supply Chain Protection was covered under a wider System & Service Acquisition control group. This single control addressed the need to identify vulnerabilities throughout an information system’s lifecycle, and to respond through strategy and controls. It encouraged organizations to acquire and procure third-party solutions to implement security safeguards. It also required organizations to review and assess suppliers and their products prior to engagement for broader supply chain visibility.
Acknowledging the increasing number of third-party supplier-related data breaches and other security events, SP 800-53 Rev. 5 expands and refines the supply chain security and privacy guidelines by establishing an entirely new control group, SR-Supply Chain Risk Management. It also requires organizations to develop and plan for managing supply chain risks by:
- Using formal risk management plans and policies to drive the supply chain management process
- Emphasizing security and privacy through collaboration in identifying risks and threats, and through the application of security and privacy-based controls
- Requiring transparency of systems and products (e.g., lifecycle, traceability, and component authenticity)
- Increasing awareness of the need to pre-assess organizations, and to ensure visibility into issues and breaches
How SP 800-161 Complements Supply Chain Risk Management
NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161, NIST outlines a complementary framework to identify, assess, select, and implement risk management processes and mitigating controls specific to supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.
Supply Chain Risk Management Requirements in the Cybersecurity Framework v1.1
The Cybersecurity Framework is another NIST publication that applies to third-party risk management and supply chain security. The Framework leverages existing security frameworks, such as CIS, COBIT, ISA, ISO/IEC and NIST, to avoid creating an undue burden on organizations to address requirements. Specific supply chain risk management subcategories identified in the CSF include:
- ID.SC-1: Identify, establish, assess, and manage cyber supply chain risk management processes, and ensure that organizational stakeholders agree.
- ID.SC-2: Identify, prioritize, and assess suppliers and third-party partners of information systems, components, and services using a cyber supply chain risk assessment process.
- ID.SC-3: Implement appropriate measures in supplier and third-party partner contracts to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
- ID.SC-4: Routinely assess suppliers and third-party partners using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
- ID.SC-5: Conduct response and recovery planning and testing with suppliers and third-party providers.
Meeting NIST SP 800-53r5 and NIST 800-161 Third-Party Guidance Using the Prevalent Platform
Prevalent can help address the third-party requirements in NIST SP 800-53r5 Security and Privacy Controls for Federal Information Systems and Organizations as well as the NIST 800-161 supply chain security-specific controls with an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements.
With the Prevalent Third-Party Risk Management Platform, you can:
- Continuously track and analyze externally observable threats to vendors and other third parties and complement and validate vendor-reported security control data to accommodate CA-2 (2) Security Assessments | Specialized Assessments, CA-2 (3) Security Assessments | External Organizations, SA-4 (17) Information System Monitoring | Integrated Situational Awareness, and SA-5 Security Alerts, Advisories and Directives.
- Reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases to accommodate CA-7 (3) Continuous Monitoring | Trend Analysis and PM-16 Threat Awareness Program.
- Rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance to accommodate CP-2 (7) Contingency Plan | Coordinate with External Service Providers, IR-4 (10) Incident Handling | Supply Chain Coordination and IR-6 (3) Incident Reporting | Coordination with Supply Chain.
- Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure to accommodate PS-7 Third-Party Personnel Security and SR-8 Notification Agreements.
- Assess supply chain partner controls using more than 75 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework to accommodate CA-2 (3) Security Assessments | External Organizations, RA-1 Risk Assessment Policy and Procedures, RA-3 Risk Assessment, and SR-6 Supplier Assessments and Reviews.
- Provide instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information to accommodate SA-9 Acquisition Process and SR-5 Acquisition Strategies, Tools, and Methods.
- Leverage a dedicated and custom contract assessment questionnaires to enable comprehensive reviews by identifying potential breaches of contract and other risks; gain visibility into vendor contract status, contact information, risk and compliance status, performance metrics, and more via centralized dashboards; and track resolution of issues throughout the remediation process to show risk reduction progress over time and report against KPIs to accommodate SA-9 (1) External Information Systems | Risk Assessments/Organizational Approvals and SA-9 (3) External Information Systems | Establish/Maintain Trust Relationship with Providers.
- Define and document your TPRM program to accommodate SR-1 Policies and Procedures and SR-3 Supply Chain Controls and Processes.
- Continually improve your TPRM program and ensure it is agile and flexible to accommodate SR-2 Supply Chain Risk Management Plan.
Meeting NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 Third-Party Requirements
With the Prevalent Third-Party Risk Management Platform, you can:
- Define and document your third-party risk management program with expert professional services. Obtain a clear plan that accounts for your specific needs while incorporating best practices for end-to-end TPRM to address
Supply Chain Risk Management (ID.SC-1).
- Onboard, profile, tier and score inherent risks across all third parties as a critical first step in the onboarding and prioritization stages of the vendor lifecycle to address Supply Chain Risk Management (ID.SC-2).
- Use dedicated and custom contract assessment questionnaires to enable comprehensive reviews by identifying potential breaches of contract and other risks. Customizable surveys make it easy to gather and analyze necessary performance and contract data in a single risk register to address Supply Chain Risk Management (ID.SC-3).
- Use a comprehensive solution to address all information security topics as they pertain to supply chain partner security controls to address Supply Chain Risk Management (ID.SC-4).
- Identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting proactive event assessments, scoring identified risks, and accessing remediation guidance to address
Supply Chain Risk Management (ID.SC-5).
Next Steps for NIST Compliance
NIST requires robust management and tracking of third-party supply chain security risk. SP 800-53r5, SP 800-161 and CSF v1.1 specify that:
- a policy for managing risk should be in place
- security controls should be selected
- a policy should be codified in supplier agreements where appropriate
- suppliers should be assessed, managed and audited to the requirements and controls
Prevalent delivers a unified platform with NIST compliance capabilities that enable you to effectively audit supplier security controls. For a complete listing of the NIST supply chain risk management requirements and how Prevalent capabilities map, read The NIST Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.