Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero compliance nist csf 2

NIST Cybersecurity Framework (CSF) 2.0 Draft

NIST CSF and Third-Party Risk Management

The National Institute of Standards and Technology (NIST) introduced the Cybersecurity Framework (CSF) in 2014 in response to Executive Order (EO) 13636 for securing critical infrastructure. While many NIST guidelines were developed to secure U.S. federal government systems and data, the CSF is designed for any business or private organization that needs to assess its cybersecurity risks.

The CSF was updated to version 1.1 in April 2018. In August 2023, NIST released a draft version 2.0 for public comment; it is expected to be finalized in 2024. The draft version includes several changes to address growing challenges related to third parties and cybersecurity supply chain risk management (C-SCRM).

Relevant Requirements

  • Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy

  • Help determine the current cybersecurity risk to the organization

  • Use safeguards to prevent or reduce cybersecurity risk

  • Find and analyze possible cybersecurity attacks and compromises

  • Take action regarding a detected cybersecurity incident

  • Restore assets and operations that were impacted by a cybersecurity incident

Prepare for NIST CSF 2.0

Read the Third-Party Compliance Checklist for NIST Cybersecurity Framework 2.0 Draft to assess your third-party risk management program against updated C-SCRM guidelines proposed for CSF 2.0.

Read Now
Featured resource nist csf 2 0 draft

Addressing NIST CSF 2.0 Guidelines

The CSF provides a set of cybersecurity outcomes (arranged by Function, Category and Subcategory); examples of how those outcomes might be achieved (called Implementation Examples); and references to additional guidance on how to achieve those outcomes (known as Informative References). The table below reviews the Functions, Categories and Subcategories most relevant to third-party risk management and cybersecurity supply chain management and offers best practice guidance for addressing the guidelines.

Note: This is a summary table only and is not an exhaustive list of NIST Categories. For a full view of the draft NIST CSF, download the complete version. Work with your internal audit team and external auditors to determine the right Categories and Subcategories to focus on.

Function, Category & Subcategory How Prevalent Helps

GOVERN (GV): Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy

Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders

GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes

Prevalent helps you build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management and compliance programs.

  • Our experts to collaborate with your team on:
  • Defining and implementing TPRM and C-SCRM processes and solutions
  • Selecting risk assessment questionnaires and frameworks
  • Optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding – according to your organization’s risk appetite

As part of this process, we will help you define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds based on your organization’s risk tolerance

GV.SC-04: Suppliers are known and prioritized by criticality

Prevalent helps by quantifying inherent risks for all third parties. Criteria used to calculate inherent risk for third-party prioritization includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

With Prevalent, you can centralize the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key Prevalent capabilities include:

  • Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customized, role-based views
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
  • Automated reminders and overdue notices to streamline contract reviews
  • Centralized contract discussion and comment tracking
  • Contract and document storage with role-based permissions and audit trails of all access
  • Version control tracking that supports offline contract and document edits
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.

GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

Prevalent offers capabilities that enable your procurement team to centralize and automate the distribution, comparison and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables comparison on key attributes.

As all service providers are being centralized and reviewed, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

This level of due diligence creates greater context for making vendor selection decisions.

GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

Prevalent features a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes.

Assessments are managed centrally and backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, Prevalent includes built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, Prevalent continuously tracks and analyzes external threats to third parties. Our Vendor Threat Monitor solution scans the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Prevalent also incorporates third-party operational, reputational and financial data to add context to cyber findings and measure the impact of incidents over time.

GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

Prevalent helps your team develop an incident management strategy that enables them to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Managed services include dedicated experts who centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate risks with continuous cyber monitoring intelligence; and issue remediation guidance. Prevalent ROC Managed Services greatly reduce the time required to identify vendors impacted by a cybersecurity incident and ensure that remediations are in place.

Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
  • Built-in reporting templates for internal and external stakeholders
  • Guidance from built-in remediation recommendations to reduce risk
  • Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data

Prevalent also leverages databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging experts.

GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

Please see GV.SC-01 and GV.SC-02.

GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

Building on the best practices recommended for GV.SC-05, Prevalent automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure. Key capabilities include:

  • Scheduled tasks to ensure all obligations have been met
  • Customizable contract assessments to evaluate status
  • Customizable surveys and workflows that report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more
  • Centrally stored and managed documents and certifications, such as NDAs, SLAs, SOWs and contracts
  • Built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed
  • Built-in remediation recommendations and guidance.
  • Automatic mapping of assessment results to any regulation or framework

IDENTIFY (ID): Help determine the current cybersecurity risk to the organization

Asset Management (ID.AM): Assets (e.g., data, hardware software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy

ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained

To address this Subcategory, Prevalent helps to identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. The solution includes a questionnaire-based assessment of your suppliers and passive scanning of the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies and information flows that could expose your organization to risk.

ID.AM-04: Inventories of services provided by suppliers are maintained

Prevalent enables you to build a centralized service provider inventory by importing vendors via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise can populate key supplier details with a centralized and customizable intake form and associated workflow tasks. This capability is available to everyone via email invitation, without requiring any training or solution expertise.

ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission

Please see GV.SC-04.

ID.AM-08: Systems, hardware, software, and services are managed throughout their life cycle

To address this Category, Prevalent enables you to:

  • Continuously assess and monitor the potential risks the service provider introduces into your environment; and make recommendations to mitigate the impact of those risks
  • Monitor service levels, key performance indicators (KPIs) and key risk indicators (KRIs) to ensure adherence to contractual agreements
  • Securely offboard service providers to ensure data and system security post-contract termination

Risk Assessment (ID.RA): The organization understands the cybersecurity risk to the organization, assets, and individuals

ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources

ID.RA-03: Internal and external threats to the organization are identified and recorded

ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk and inform risk prioritization

ID.RA-06: Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated

ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. As part of this, Prevalent monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources include:

  • Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
  • Databases containing several years of data breach history for thousands of companies around the world

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Once all assessment and monitoring data is correlated into a central risk register, the Prevalent Platform applies risk scoring and prioritization according to a likelihood and impact model. This model frames risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those.

Then, you can assign owners and track risks and remediations to a level acceptable to the business.

ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use

As part of the due diligence process, you can use Prevalent to require vendors to provide updated software bills of materials (SBOMs) for their software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization's security and compliance. SBOMs are treated as any other document type, and you can apply automated document profiles to search for extract key details important to validating software components.

DETECT (DE): Find and analyze possible cybersecurity attacks and compromises

Continuous Monitoring (DE.CM): Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events

DE.CM-06: External service provider activities and services are monitored to find potentially adverse events

Please see ID.RA.

Adverse Event Analysis (DE.AE): Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities

DE.AE-03: Information is correlated from multiple sources

DE.AE-04: The estimated impact and scope of adverse events are determined

DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis

DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria

Please see ID.RA.

RESPOND (RS): Take action regarding a detected cybersecurity incident

Incident Management (RS.MA): Responses to detected cybersecurity incidents are managed

RS.MA-01: The incident response plan is executed once an incident is declared in coordination with relevant third parties

Please see GV.SC-08.

Incident Response Reporting and Communication (RS.CO): Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies

RS.CO-02: Internal and external stakeholders are notified of incidents

RS.CO-03: Information is shared with designated internal and external stakeholders

Please see GV.SC-08.

RECOVER (RC): Restore assets and operations that were impacted by a cybersecurity incident

Incident Recovery Communication (RC.CO): Restoration activities are coordinated with internal and external parties

RC.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Please see GV.SC-08.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo