New Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

15 Critical NIST 800-53 Controls for Supply Chain Risk Management

Sorting through thousands of NIST security controls can be time-consuming. Use this guidance to focus on the most important SCRM controls.
By:
Thomas Humphreys
,
Prevalent Compliance Expert
March 17, 2022
Share:
White paper nist top 15 tprm controls 0322

The National Institute of Standards and Technology (NIST) 800-53 Rev. 5 is a comprehensive suite of best-practice security controls that many organizations leverage as a framework for their internal security programs. The standard features more than 1,000 different controls organized into control families. Such a broad array of available controls can quickly become overwhelming for security, risk management, and auditing teams to determine which are the most important to focus on. When you’re responsible for assessing not only your own organization’s internal controls, but also those of your third-party vendors and suppliers, the task can become even more complex.

In this post we discuss how to organize controls into functions and then identify the 15 most essential NIST controls for assessing third-party supplier or vendor security risk.

Critical Questions to Organize NIST 800-53 Controls for Supply Chain Risk Management

When considering which are the most applicable supply risk management NIST cybersecurity controls, start by answering these questions – sorted into one of the Five Functions in the NIST framework:

  • Identify: Has the supplier identified its critical systems and components under a risk management framework? This is the foundation for developing a cybersecurity framework.
  • Protect: Has the supplier defined and implemented controls to manage access to and visibility into critical systems? It’s essential to limit or contain threats through proactive control management.
  • Detect: Does the supplier have visibility into new and emerging threats? It's important identify events (e.g., incidents, weaknesses, and threats) that could ultimately affect your organization.
  • Respond: Can the supplier identify and handle incidents and threats? This is all about taking action to contain and minimize impact from cybersecurity incidents.
  • Recover: Does the supplier have the ability to recover critical systems and services? This question determines if the third party can restore capabilities or services impacted by a cybersecurity event.

The Top 15 NIST Supply Chain Risk Management Controls

Discover how you can use NIST SP 800-53 as a foundation for building a more robust supply chain risk management program.

Read Now
Featured top 15 nist scrm controsl

The Top 15 NIST Controls for Supply Chain Risk Management

The following table summarizes the 15 key NIST controls that address the questions above, by function. Please note that these are just the minimum of controls. You should consult your auditor for validation.

Function NIST 800-53 Control

Identify

Has the supplier identified its critical systems and components under a risk management framework?

RA-3: Risk Assessment – Conduct risk assessments, document the results, and review and update the assessments at defined frequencies.

SA-4: Acquisition Process – Identify security and privacy controls within the acquisition for new systems.

CM-8: System Component Inventory – Develop and document an inventory of system components that accurately reflects systems.

SR-2: Risk Management Plan – Develop a supply chain risk management plan.

Protect

Has the supplier defined and implemented controls to manage access to and visibility into critical systems?

SC-7: Boundary Protection – Monitor and control communications at the external and internal managed interfaces.

IA-2: Identification and Authorization – Uniquely identify and authenticate users; Approved authorization for logical access.

AT-2: Training and Awareness – Organizations should provide security and privacy training to system users.

CM-3: Change Control – Determine and document the types of changes to systems, record changes, and monitor and review.

AC-3: Access Enforcement – Enforce approved authorization for logical access to information and system resources based on access control policies.

Detect

Does the supplier have visibility into new and emerging threats?

RA-5: Vulnerability Monitoring & Scanning – Monitor and scan for vulnerabilities on systems and hosted applications.

SI-4: System Monitoring – Systems should be monitored to detect attacks and indicators of potential attacks.

AU-2: Event Logging – Identify types of events that systems are capable of logging.

CP-2: Contingency Planning – Organizations should test the contingency plan for systems using defined tests for ensuring the effectiveness of the plan.

CP-4: Contingency Testing – Test the effectiveness of the contingency plan for systems using defined tests.

Respond and Recover

Can the supplier identify and handle incidents and threats? Do they have the ability to recover critical systems and services?

IR-4: Incident Handling and Response – Organizations should implement an incident handling capability, aligned to an incident response plan.

How to Implement the Top 15 NIST Controls for Supply Chain Risk Management

NIST control auditing doesn’t end with simply identifying controls. For more on how to put these NIST controls into practice, download our executive brief, The Top 15 NIST Supply Chain Risk Management Controls and watch our on-demand webinar by the same name!

Ready to dive deeper? Check out NIST Third-Party Compliance Checklist, which delivers a comprehensive look at how third-party risk management practices map to recommendations outlined in NIST 800-53, NIST 800-161, and NST CSF.

Contact Prevalent today for a free maturity assessment or request a demo to determine how your current SCRM policies stack up to these critical NIST controls.

Tags:
Share:
Thomas humphreys
Thomas Humphreys
Prevalent Compliance Expert
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo