How to Use NIST SP 800-53 for Improved Third-Party Supply Chain Risk Management

CA-2 (2) Control Assessments | Specialized Assessments

Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing.

CA-2 (3) Control Assessments | Leveraging Results from External Organizations

Organizations may rely on control assessments of organizational systems by other (external) organizations.

Look for solutions that feature a large library of pre-built templates for third-party risk assessments – including those specifically built around NIST controls. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship.

Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanction, and financial information.

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation, and response initiatives.

Be sure to incorporate third-party operational, reputational, and financial data to add context to cyber findings and measure the impact of incidents over time.

If required, substitute third-party auditors SOC 2 reports for a vendor’s risk assessments. Review the list of control gaps identified within the SOC 2 report, create risk items against the third party, and track and report against deficiencies over time.

CP-2 (7) Contingency Plan | Coordinate with External Service Providers

Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

IR-4 (10) Incident Handling | Supply Chain Coordination

Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.

IR-5 Incident Monitoring

Track and document incidents.

IR-6 (3) Incident Reporting | Supply Chain Coordination

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

IR-8(1) Incident Response Plan | Breaches

Include the following in the Incident Response Plan for breaches involving personally identifiable information:

(a) A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;

(b) An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and

(c) Identification of applicable privacy requirements.

As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Look for managed services where dedicated experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate risks with continuous cyber monitoring intelligence; and issue remediation guidance on your organization’s behalf. Managed services can greatly reduce the time required to identify vendors impacted by a cybersecurity incident, coordinate with vendors, and ensure that remediations are in place.

Key capabilities in the Third-Party Incident Response Service include:

• Continuously updated and customizable event and incident management questionnaires
• Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactive vendor reporting
• Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
• Built-in reporting templates for internal and external stakeholders
• Guidance from built-in remediation recommendations to reduce risk
• Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data

Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

PM-9 Risk Management Strategy

a. Develop a comprehensive strategy to manage:

1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and

2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information;

b. Implement the risk management strategy consistently across the organization; and

c. Review and update the risk management strategy as required, to address organizational changes.

PM-30 Supply Chain Risk Management Strategy

a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;

b. Implement the supply chain risk management strategy consistently across the organization; and

c. Review and update the supply chain risk management strategy on an organization-defined frequency or as required, to address organizational changes.

Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management and compliance programs.

Seek out experts to collaborate with your team on:

• Defining and implementing TPRM and C-SCRM processes and solutions
• Selecting risk assessment questionnaires and frameworks
• Optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding – according to your organization’s risk appetite

As part of this process, you should define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories
• Risk scoring and thresholds based on your organization’s risk tolerance

Continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities, measuring third-party vendorkey performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle.

PM 30 (1) Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-Essential Items

Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.

Start by quantifying inherent risks for all third parties. Criteria used to calculate inherent risk for third-party prioritization includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier suppliers, set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic should enable vendor categorization using a range of data interaction, financial, regulatory, and reputational considerations.

PM-31 Continuous Monitoring Strategy

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

a. Establishing organization-wide metrics to be monitored;

b. Establishing defined frequencies for monitoring and assessment of control effectiveness;

c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;

d. Correlation and analysis of information generated by control assessments and monitoring;

e. Response actions to address results of the analysis of control assessment and monitoring information; and

f. Reporting the security and privacy status of organizational systems to defined personnel.

Continuously track and analyze external threats to third parties. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions, and financial information.

Monitoring sources typically include:

• Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Databases containing several years of data breach history for thousands of companies around the world

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation, and response initiatives.

Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to a likelihood and impact model. This model should frame risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those.

Assign owners and track risks and remediations to a level acceptable to the business.

RA-1 Policy and Procedures

Develop, document, and disseminate:

1. A risk assessment policy that:

(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

b. Designate an official to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

c. Review and update the current risk assessment:

1. Policy and
2. Procedures.

See PM-9 Risk Management Strategy

RA-2 (1) Security Categorization | Impact-Level Prioritization

Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.

See PM 30 (1) Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-Essential Items

RA-3 (1) Risk Assessment | Supply Chain Risk Assessment

(a) Assess supply chain risks associated with systems, components, and services; and

(b) Update the supply chain risk assessment when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

Look for solutions that feature a large library of pre-built templates for third-party risk assessments – including those specifically built around NIST controls. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes.

Assessments should be managed centrally and backed by workflow, task management, and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

RA-3 (2) Risk Assessment | Use of All-Source Intelligence

Use all-source intelligence to assist in the analysis of risk.

RA-3 (3) Risk Assessment | Dynamic Threat Awareness

Determine the current cyber threat environment on an ongoing basis.

RA-3 (4) Risk Assessment | Predictive Cyber Analytics

Employ advanced automation and analytics capabilities to predict and identify risks.

RA-7 Risk Response

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

Continuously track and analyze external threats to third parties. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions, and financial information.

Monitoring sources typically include:

• Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Databases containing several years of data breach history for thousands of companies around the world

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation, and response initiatives.

Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to a likelihood and impact model. This model should frame risks into a matrix, so you can easily see the highest impact risks and prioritize remediation efforts.

Assign owners and track risks and remediations to a level acceptable to the business.

RA-9 Criticality Analysis

Identify critical system components and functions by performing a criticality analysis at defined decision points in the system development life cycle.

See PM 30 (1) Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-Essential Items

SR-1 Policy and Procedures

Develop, document, and disseminate:

1. A supply chain risk management policy that:

(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

b. Designate an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

c. Review and update the current supply chain risk management:

1. Policy and
2. Procedures

See PM-9 Risk Management Strategy

SR-2 Supply Chain Risk Management Plan

a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems, system components, or system services

b. Review and update the supply chain risk management plan as required, to address threat, organizational or environmental changes; and

c. Protect the supply chain risk management plan from unauthorized disclosure and modification.

See PM-9 Risk Management Strategy

SR-3 Supply Chain Controls and Processes

a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes in coordination with supply chain personnel;

*b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events; and

c. Document the selected and implemented supply chain processes and controls in the supply chain risk management plan.*

See PM-9 Risk Management Strategy

SR-4 (4) Provenance | Supply Chain Integrity – Pedigree

Employ controls and analyze to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.

As part of the due diligence process, require vendors to provide updated software bills of materials (SBOMs) for their software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization’s security and compliance.

SR-5 Acquisition Strategies, Tools, and Methods

Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.

Centralize and automate the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables comparison on key attributes.

As all service providers are being centralized and reviewed, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

This level of due diligence creates greater context for making vendor selection decisions

SR-6 Supplier Assessments and Reviews

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide.

See RA-3 (1) Risk Assessment | Supply Chain Risk Assessment

SR-8 Notification Agreements

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises; and results of assessments or audits.

Centralize the distribution, discussion, retention, and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities include:

• Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.

SR-13 Supplier Inventory

a. Develop, document, and maintain an inventory of suppliers that:

1. Accurately and minimally reflects the organization’s tier-one suppliers that may present a cybersecurity risk in the supply chain;

2. Is it at the level of granularity deemed necessary for assessing criticality and supply chain risk, tracking, and reporting;

3. Documents the following information for each tier one supplier (e.g., prime contractor): review and update supplier inventory.

i. Unique identify for procurement instrument (i.e., contract, task, or delivery order);

ii. Description of the supplied products and/or services;

iii. Program, project, and/or system that uses the supplier’s products and/or services; and

iv. Assigned criticality level that aligns with the criticality of the program, project, and/or system (or component of the system).

b. Review and update the supplier inventory.

Centralize all supplier insights into a single supplier profile so that all departments that engage with suppliers leverage the same information, improving visibility and decision-making.

Import vendors via a spreadsheet template or through an API connection to an existing procurement solution, eliminating error-prone, manual processes.

Populate key supplier details with a centralized and customizable intake form and associated workflow. This should be available to everyone via email invitation, without requiring any training or solution expertise.

Build comprehensive supplier profiles that compare and monitor supplier demographics, geographic location, fourth-party technologies, and recent operational insights. Having this accumulated data will enable you to report on and take action against geographic and technology concentration risks especially.