Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions
The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. NIST's responsibilities include establishing computer and information technology-related standards and guidelines for federal agencies. However, because NIST publishes and maintains key resources for managing cybersecurity risks applicable to any company, many private sector organizations consider compliance with these standards and guidelines to be a top priority.
Several NIST special publications have specific controls that require organizations to establish and implement processes to identify, assess and manage supply chain risk. These NIST special publications include:
Because NIST guidelines complement one another, organizations that standardize on one special publication can cross-map to the others – in effect meeting multiple requirements using a single framework. The Prevalent Third-Party Risk Management Platform can be used to meet NIST requirements for stronger supply chain security.
This post explains each NIST special publication and maps Prevalent capabilities into those frameworks.
Supply chain security and data privacy controls have evolved as SP 800-53 has been revised. For example, in SP 800-53 Rev. 4 Supply Chain Protection was covered under a wider System & Service Acquisition control group. This single control addressed the need to identify vulnerabilities throughout an information system’s lifecycle, and to respond through strategy and controls. It encouraged organizations to acquire and procure third-party solutions to implement security safeguards. It also required organizations to review and assess suppliers and their products prior to engagement for broader supply chain visibility.
Acknowledging the increasing number of third-party supplier-related data breaches and other security events, SP 800-53 Rev. 5 expands and refines the supply chain security and privacy guidelines by establishing an entirely new control group, SR-Supply Chain Risk Management. It also requires organizations to develop and plan for managing supply chain risks by:
NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.
The Cybersecurity Framework is another NIST publication that applies to third-party risk management and supply chain security. The Framework leverages existing security frameworks, such as CIS, COBIT, ISA, ISO/IEC and NIST, to avoid creating an undue burden on organizations to address requirements. Specific supply chain risk management subcategories identified in the CSF include:
In August 2023, NIST CSF draft version 2.0 was released for public comment; it is expected to be finalized in 2024.
The NIST Third-Party Compliance Checklist
The NIST Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in NIST SP 800-53, NIST SP 800-161, and NIST CSF.
Prevalent can help address the third-party requirements in NIST SP 800-53r5 Security and Privacy Controls for Federal Information Systems and Organizations as well as the NIST 800-161r1 Cybersecurity Supply Chain Risk Management Practices with an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements.
With the Prevalent Third-Party Risk Management Platform, you can:
With the Prevalent Third-Party Risk Management Platform, you can:
Prepare for NIST CSF 2.0
Read the Third-Party Compliance Checklist for NIST Cybersecurity Framework 2.0 Draft to assess your third-party risk management program against updated C-SCRM guidelines proposed for CSF 2.0.
NIST requires robust management and tracking of third-party supply chain security risk. SP 800-53r5, SP 800-161r1 and CSF v1.1 specify that:
Prevalent delivers a unified platform with NIST compliance capabilities that enable you to effectively audit supplier security controls. For a complete listing of the NIST supply chain risk management requirements and how Prevalent capabilities map, read The NIST Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 30+ other regulations, download The Third-Party Risk Management Compliance Handbook.
Enhanced cybersecurity supply chain risk management guidance is coming in NIST CSF 2.0. Check out the...
09/12/2023
Leverage this guidance to align your TPRM program with the NIST AI RMF to better govern...
08/30/2023
Prepare for the updated SEC requirements by asking your vendors and suppliers about their cybersecurity risk...
08/01/2023