The National Institute of Standards and Technology (NIST) 800-53 Rev. 5 is a comprehensive suite of best-practice security controls that many organizations leverage as a framework for their internal security programs. The standard features more than 1,000 different controls organized into control families. Such a broad array of available controls can quickly become overwhelming for security, risk management, and auditing teams to determine which are the most important to focus on. When you’re responsible for assessing not only your own organization’s internal controls, but also those of your third-party vendors and suppliers, the task can become even more complex.
In this post we discuss how to organize controls into functions and then identify the 15 most essential NIST controls for assessing third-party supplier or vendor security risk.
When considering which are the most applicable supply risk management NIST cybersecurity controls, start by answering these questions – sorted into one of the Five Functions in the NIST framework:
The Top 15 NIST Supply Chain Risk Management Controls
Discover how you can use NIST SP 800-53 as a foundation for building a more robust supply chain risk management program.
The following table summarizes the 15 key NIST controls that address the questions above, by function. Please note that these are just the minimum of controls. You should consult your auditor for validation.
Function | NIST 800-53 Control |
---|---|
Identify Has the supplier identified its critical systems and components under a risk management framework? |
RA-3: Risk Assessment – Conduct risk assessments, document the results, and review and update the assessments at defined frequencies. SA-4: Acquisition Process – Identify security and privacy controls within the acquisition for new systems. CM-8: System Component Inventory – Develop and document an inventory of system components that accurately reflects systems. SR-2: Risk Management Plan – Develop a supply chain risk management plan. |
Protect Has the supplier defined and implemented controls to manage access to and visibility into critical systems? |
SC-7: Boundary Protection – Monitor and control communications at the external and internal managed interfaces. IA-2: Identification and Authorization – Uniquely identify and authenticate users; Approved authorization for logical access. AT-2: Training and Awareness – Organizations should provide security and privacy training to system users. CM-3: Change Control – Determine and document the types of changes to systems, record changes, and monitor and review. AC-3: Access Enforcement – Enforce approved authorization for logical access to information and system resources based on access control policies. |
Detect Does the supplier have visibility into new and emerging threats? |
RA-5: Vulnerability Monitoring & Scanning – Monitor and scan for vulnerabilities on systems and hosted applications. SI-4: System Monitoring – Systems should be monitored to detect attacks and indicators of potential attacks. AU-2: Event Logging – Identify types of events that systems are capable of logging. CP-2: Contingency Planning – Organizations should test the contingency plan for systems using defined tests for ensuring the effectiveness of the plan. CP-4: Contingency Testing – Test the effectiveness of the contingency plan for systems using defined tests. |
Respond and Recover Can the supplier identify and handle incidents and threats? Do they have the ability to recover critical systems and services? |
IR-4: Incident Handling and Response – Organizations should implement an incident handling capability, aligned to an incident response plan. |
NIST control auditing doesn’t end with simply identifying controls. For more on how to put these NIST controls into practice, download our executive brief, The Top 15 NIST Supply Chain Risk Management Controls and watch our on-demand webinar by the same name!
Ready to dive deeper? Check out NIST Third-Party Compliance Checklist, which delivers a comprehensive look at how third-party risk management practices map to recommendations outlined in NIST 800-53, NIST 800-161, and NST CSF.
Contact Prevalent today for a free maturity assessment or request a demo to determine how your current SCRM policies stack up to these critical NIST controls.
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024