The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. NIST's responsibilities include establishing computer and information technology-related standards and guidelines for federal agencies. However, because NIST publishes and maintains key resources for managing cybersecurity risks applicable to any company, many private sector organizations consider compliance with these standards and guidelines to be a top priority.
Several NIST special publications have specific controls that require organizations to establish and implement processes to identify, assess and manage supply chain risk. These NIST special publications include:
Because NIST guidelines complement one another, organizations that standardize on one special publication can cross-map to the others – in effect meeting multiple requirements using a single framework. The Prevalent Third-Party Risk Management Platform can be used to meet NIST requirements for stronger supply chain security.
This post explains each NIST special publication and maps Prevalent capabilities into those frameworks.
Supply Chain Risk Management Controls in SP 800-53 Rev. 5
Supply chain security and data privacy controls have evolved as SP 800-53 has been revised. For example, in SP 800-53 Rev. 4 Supply Chain Protection was covered under a wider System & Service Acquisition control group. This single control addressed the need to identify vulnerabilities throughout an information system’s lifecycle, and to respond through strategy and controls. It encouraged organizations to acquire and procure third-party solutions to implement security safeguards. It also required organizations to review and assess suppliers and their products prior to engagement for broader supply chain visibility.
Acknowledging the increasing number of third-party supplier-related data breaches and other security events, SP 800-53 Rev. 5 expands and refines the supply chain security and privacy guidelines by establishing an entirely new control group, SR-Supply Chain Risk Management. It also requires organizations to develop and plan for managing supply chain risks by:
- Using formal risk management plans and policies to drive the supply chain management process
- Emphasizing security and privacy through collaboration in identifying risks and threats, and through the application of security and privacy-based controls
- Requiring transparency of systems and products (e.g., lifecycle, traceability, and component authenticity)
- Increasing awareness of the need to pre-assess organizations, and to ensure visibility into issues and breaches
How SP 800-161 Rev. 1 Complements Cybersecurity Supply Chain Risk Management
NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.
Supply Chain Risk Management Requirements in the Cybersecurity Framework v1.1
The Cybersecurity Framework is another NIST publication that applies to third-party risk management and supply chain security. The Framework leverages existing security frameworks, such as CIS, COBIT, ISA, ISO/IEC and NIST, to avoid creating an undue burden on organizations to address requirements. Specific supply chain risk management subcategories identified in the CSF include:
- ID.SC-1: Identify, establish, assess, and manage cyber supply chain risk management processes, and ensure that organizational stakeholders agree.
- ID.SC-2: Identify, prioritize, and assess suppliers and third-party partners of information systems, components, and services using a cyber supply chain risk assessment process.
- ID.SC-3: Implement appropriate measures in supplier and third-party partner contracts to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
- ID.SC-4: Routinely assess suppliers and third-party partners using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
- ID.SC-5: Conduct response and recovery planning and testing with suppliers and third-party providers.
Meeting NIST SP 800-53r5 and NIST 800-161r1 Supply Chain Cybersecurity Guidance Using the Prevalent Platform
Prevalent can help address the third-party requirements in NIST SP 800-53r5 Security and Privacy Controls for Federal Information Systems and Organizations as well as the NIST 800-161r1 Cybersecurity Supply Chain Risk Management Practices with an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements.
With the Prevalent Third-Party Risk Management Platform, you can:
- Continuously track and analyze externally observable threats to vendors and other third parties and complement and validate vendor-reported security control data to accommodate CA-2 (1) Control Assessments | Specialized Assessments, CA-2 (3) Control Assessments | Leveraging Results from External Organizations, and SA-4 (7) System Monitoring | Integrated Situational Awareness.
- Reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases to accommodate CA-7 (3) Continuous Monitoring | Trend Analysis, PM-16 Threat Awareness Program, PM-31 Continuous Monitoring Strategy, SA-4 (3) Acquisition Process | Continuous Monitoring Plan for Controls, and SI-5 Security Alerts, Advisories and Directives.
- Rapidly identify and mitigate the impact of supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance to accommodate CP-2 (7) Contingency Plan | Coordinate with External Service Providers, IR-4 (3) Incident Handling | Supply Chain Coordination, IR-6 (1) Incident Reporting | Supply Chain Coordination and IR-8 Incident Response Plan.
- Automate contract lifecycle management to ensure that key contract clauses for incident response are in place, and that service levels and response times are managed to accommodate IR-5 Incident Monitoring and SR-8 Notification Agreements.
- Assess supply chain partner controls using more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework to accommodate CA-2 (3) Security Assessments | External Organizations, RA-1 Policy and Procedures, RA-3 Risk Assessment, RA-7 Risk Response and SR-6 Supplier Assessments and Reviews.
- Categorize and tier all suppliers using multiple criteria to accommodate RA-9 Criticality Analysis and SR-13 Supplier Inventory.
- Provide instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information to accommodate SA-9 Acquisition Process and SR-5 Acquisition Strategies, Tools, and Methods.
- Define and document your TPRM program to accommodate SR-1 Policies and Procedures and SR-3 Supply Chain Controls and Processes.
- Continually improve your TPRM program and ensure it is agile and flexible to accommodate SR-2 Supply Chain Risk Management Plan.
Meeting NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 Third-Party Requirements
With the Prevalent Third-Party Risk Management Platform, you can:
- Define and document your third-party risk management program with expert professional services. Obtain a clear plan that accounts for your specific needs while incorporating best practices for end-to-end TPRM to address
Supply Chain Risk Management (ID.SC-1).
- Onboard, profile, tier and score inherent risks across all third parties as a critical first step in the onboarding and prioritization stages of the vendor lifecycle to address Supply Chain Risk Management (ID.SC-2).
- Use dedicated and custom contract assessment questionnaires to enable comprehensive reviews by identifying potential breaches of contract and other risks. Customizable surveys make it easy to gather and analyze necessary performance and contract data in a single risk register to address Supply Chain Risk Management (ID.SC-3).
- Use a comprehensive solution to address all information security topics as they pertain to supply chain partner security controls to address Supply Chain Risk Management (ID.SC-4).
- Identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting proactive event assessments, scoring identified risks, and accessing remediation guidance to address
Supply Chain Risk Management (ID.SC-5).
Next Steps for NIST Compliance
NIST requires robust management and tracking of third-party supply chain security risk. SP 800-53r5, SP 800-161r1 and CSF v1.1 specify that:
- a policy for managing risk should be in place
- security controls should be selected
- a policy should be codified in supplier agreements where appropriate
- suppliers should be assessed, managed and audited to the requirements and controls
Prevalent delivers a unified platform with NIST compliance capabilities that enable you to effectively audit supplier security controls. For a complete listing of the NIST supply chain risk management requirements and how Prevalent capabilities map, read The NIST Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.