NIST CSF 2.0: Implications for Your Third-Party Risk Management Program

Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check out the highlights here.
Dave Shackleford
Owner & Principal Consultant, Voodoo Security
February 29, 2024
Blog nist 2 0 tprm 0823

Supply chain security incidents dominate the headlines with every day bringing a newly announced breach – whether a software intrusion like SolarWinds or Okta or a supply chain attack such as Toyota. More recently, Microsoft announced an intrusion related to a compromised key that granted illicit access to customer data.

With the continued pace of third-party attacks, it’s enough for security teams to ask: What could possibly happen next?

NIST CSF and Third-Party Risk Management

For many organizations, the answer to that question is: You need to get your third-party risk management (TPRM) house in order by leveraging best practices guidance and benchmarks. Often, that guidance comes from common cybersecurity frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Now that the NIST CSF version 2.0 has been finalized, there are significant changes that will impact how you design and implement your TPRM program to address these risks.

In this post, I will examine the most significant proposed third-party risk management (TPRM) and C-SCRM changes to the NIST CSF; review the Core Functions of the CSF; and recommend best practices for implementing the NIST CSF as part of your third-party risk management program.

Three Impactful TPRM Updates in NIST CSF Version 2.0

1. New Govern Function

The introduction of the Govern Function illustrates how critical cybersecurity governance is to managing and reducing cybersecurity risk in supply chains. Previous governance content found in the other Functions – Identify, Protect, Detect, Response and Recover – has been moved into the Govern Function. With the proposed changes, cybersecurity governance includes:

  • Determining priorities and risk tolerances of the organization, customers, and society
  • Assessing cybersecurity risks and impacts (including for third parties)
  • Establishing cybersecurity policies and procedures
  • Understanding cybersecurity roles and responsibilities

According to NIST, these activities are critical to detecting, responding to, and recovering from cybersecurity-related events and incidents – as well as to overseeing teams who carry out cybersecurity activities for the organization.

The inclusion of a dedicated governance function will help align and integrate third-party cybersecurity activities and processes across third-party risk management, enterprise risk management and legal teams.

2. Increased Roles for Legal and Compliance Teams

Consistent with the addition of the Govern Function, CSF 2.0 emphasizes the role of legal and compliance teams. For TPRM, these groups require accurate and timely reporting from suppliers, vendors and other third-party organizations that may have access to sensitive data, systems and applications.

3. Enhanced Guidance on Supply Chain Risks

The most impactful CSF 2.0 update for TPRM teams is the enhanced guidance on managing supply chain risks. CSF 2.0 includes additional cybersecurity supply chain risk management (C-SCRM) outcomes to help organizations address these distinct risks. According to the CSF, “The primary objective of C-SCRM is to extend appropriate first-party cybersecurity risk management considerations to third parties, supply chains, and products and services an organization acquires, based on supplier criticality and risk assessment.”

The supply chain risk management category has been expanded into the new Govern Function and includes new provisions that incorporate cybersecurity into contracts, contract termination, and continuous evaluation of third-party risks across the organization’s environment.

On-Demand Webinar: NIST CSF 2.0: Implications for Your TPRM Program

Join Dave Shackleford, CEO at Voodoo Security and SANS Senior Instructor, as he shares his insights on NIST CSF, and how the CSF 2.0 framework can help you manage risks from your third-party suppliers.

The NIST CSF Structure

The CSF is organized into six Core Functions: Govern, Identify, Protect, Detect, Respond and Recover. The Core Functions are outcome-oriented and not considered a checklist of actions by NIST. For an illustration of the Core Functions, see the graphic below.

The six Core Functions of the NIST Cybersecurity Framework. Courtesy: NIST.

1. Govern

A new Function introduced with version 2.0, Govern is foundational and designed to inform how an organization will achieve and prioritize the outcomes of the other five Functions in the context of its broader enterprise risk management strategy. It includes oversight of the cybersecurity strategy, roles, responsibilities, policies, processes, and procedures, and it centralizes cybersecurity supply chain risk management guidance.

2. Identify

The Identify Function is designed to establish an understanding of an organization’s assets (e.g., data, hardware, software, systems, facilities, services, and people) and the related cybersecurity risks.

3. Protect

The Protect Function offers specific guidance to secure assets to reduce the likelihood and impact of adverse cybersecurity events. Included here are topics such as awareness and training; data security; identity management, authentication and access control; platform security (i.e., securing the hardware, software, and services of physical and virtual platforms); and the resilience of technology infrastructure.

4. Detect

The Detect Function is meant to enable the discovery and analysis of anomalies, indicators of compromise, and other potentially adverse cybersecurity events.

5. Respond

The Respond Function includes guidelines for containing the impact of cybersecurity incidents, such as incident management, analysis, mitigation, reporting, and communication.

6. Recover

The Recover Function includes guidelines for restoring normal operations to reduce the impact of cybersecurity incidents.

Nearly every Function includes Categories and Subcategories that directly apply to third-party risk management and cybersecurity supply chain risk management.

The Govern Function: Cybersecurity Supply Chain Risk Management in Depth

Note: This is a summary table only and is not an exhaustive list of NIST Categories. For a full view of the NIST CSF, download the complete version. Work with your internal audit team and external auditors to determine the right Categories and Subcategories to focus on.

Function, Category & Subcategory Best Practices

GOVERN (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored

Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders

GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes

Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management and compliance programs.

  • Seek out experts to collaborate with your team on:
  • Defining and implementing TPRM and C-SCRM processes and solutions
  • Selecting risk assessment questionnaires and frameworks
  • Optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding – according to your organization’s risk appetite

As part of this process, you should define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Key risk indicators (KRIs), key performance indicators (KPIs) and service levels for incident response

GV.SC-04: Suppliers are known and prioritized by criticality

Centralize your third-party inventory in a software solution. Then, quantify inherent risks for all third parties. Criteria used to calculate inherent risk for third-party prioritization should include:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic should enable vendor categorization using a range of data interaction, financial, regulatory, and reputational considerations.

GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

Centralize the distribution, discussion, retention, and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities should include:

  • Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
  • Automated reminders and overdue notices to streamline contract reviews
  • Centralized contract discussion and comment tracking
  • Contract and document storage with role-based permissions and audit trails of all access
  • Version control tracking that supports offline contract and document edits
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.

GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

Centralize and automate the distribution, comparison and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables comparison on key attributes.

As all service providers are being centralized and reviewed, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

This level of due diligence creates greater context for making vendor selection decisions.

GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

Look for solutions that feature a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes.

Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Be sure to incorporate third-party operational, reputational and financial data to add context to cyber findings and measure the impact of incidents over time.

GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Look for managed services where dedicated experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate risks with continuous cyber monitoring intelligence; and issue remediation guidance. Managed services can greatly reduce the time required to identify vendors impacted by a cybersecurity incident and ensure that remediations are in place.

Key capabilities in a third-party incident response service should include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
  • Built-in reporting templates for internal and external stakeholders
  • Guidance from built-in remediation recommendations to reduce risk
  • Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data

Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging experts.

GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

Please see GV.SC-01 and GV.SC-02.

GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

Building on the best practices recommended for GV.SC-05, automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

  • Schedule tasks to review contracts to ensure all obligations have been met
  • Issue contract assessments to evaluate status
  • Leverage surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, etc.
  • Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts
  • Analyze documents to confirm key criteria are addressed
  • Take actionable steps to reduce vendor risk with remediation recommendations and guidance.
  • Visualize and address compliance requirements by automatically mapping assessment results to regulations and frameworks

Align Your TPRM Program with NIST CSF 2.0

Read the Third-Party Compliance Checklist for NIST Cybersecurity Framework 2.0 to assess your third-party risk management program against the latest C-SCRM guidelines.

Read Now
Featured resource nist csf 2 0

Next Steps: Download the Complete NIST CSF 2.0 Checklist

Now that is has been finalized, security and risk professionals should take stock of the final CSF 2.0 document, and use the framework to assess their third-party cybersecurity risk management efforts. This final version will help organizations better incorporate comprehensive TPRM and C-SCRM into their organizations, from governance to risk management and cybersecurity.

For more on how NIST CSF 2.0 will incorporate TPRM and cybersecurity supply chain risk management controls, scroll up to watch my on-demand webinar conducted with Prevalent. I also invite you to download the comprehensive NIST CSF 2.0 checklist developed by Prevalent. It examines the Govern Function and its supply chain risk management controls in detail.

For more on the Prevalent TPRM solution for NIST CSF 2.0, schedule a demonstration with them today.

Dave Shackleford
Dave Shackleford
Owner & Principal Consultant, Voodoo Security

Dave Shackleford is the owner and principal consultant of Voodoo Security and faculty at IANS Research. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. Dave is a SANS Analyst, serves on the Board of Directors at the SANS Technology Institute, and helps lead the Atlanta chapter of the Cloud Security Alliance.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo