Free TPRM tools: Get a free maturity assessment, a free risk report, or business & financial monitoring for 20 vendors!

Hero  Image  Solutions  Compliance  Nist  Sp800

NIST SP 800-53r4, NIST SP 800-161 and NIST CSF v1.1 Compliance

NIST and Third-Party Risk Management

The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organizations consider compliance with these standards and guidelines to be a top priority.

NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organizations consider compliance with these standards and guidelines to be a top priority.

NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organizations. NIST Cybersecurity Framework v1.1 realizes that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses. NIST Special Publication (SP) 800-161 is a supplement to SP 800-53 and provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology supply chain risks at all levels of their organizations.

These NIST standards specify that:

  • a policy for managing risk should be in place
  • security controls should be selected
  • a policy should be codified in supplier agreements where appropriate
  • suppliers should be managed and audited to the requirements and controls

In the simplest terms, an organization needs to establish and implement the processes to identify, asses and manage supply chain risk.

Relevant Requirements

  • Assess if security controls are implemented correctly, operating as intended, and meeting requirements (Step 4)

  • Monitor security controls on an ongoing basis to determine their effectiveness (Step 6)

  • Determine cybersecurity requirements for suppliers

  • Enact cybersecurity requirements through formal agreements (e.g., contracts)

  • Communicate to suppliers how cybersecurity requirements will be verified and validated

  • Verify that cybersecurity requirements are met through assessment methodologies

Satisfying Third-Party Risk Management Compliance Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.

Read the White Paper
Featured resource compliance white paper

Complying with NIST SP 800-53r4, SP 800-161 & CSF v1.1

Here's how Prevalent can help you address NIST third-party risk management standards and frameworks:

NIST SP 800-53R4 Guidelines How We Help

Chapter 2.5 External Service Providers

"FISMA and OMB policies require that federal agencies using external service providers assure that such use meets the same security requirements that federal agencies are required to meet.

Organizations can require external providers to implement all steps in the Risk Management Framework.”

Prevalent offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

NIST SP SP 800-16 Guidelines How We Help

CA-2 SECURITY ASSESSMENTS

(2) Security Assessments | Specialized Assessments

Supplemental ICT SCRM Guidance: Organizations may want to use a variety of assessment techniques and methodologies such as continuous monitoring, insider threat assessment, and malicious user’s assessment. These assessment mechanisms are context-specific and require the organization to understand its ICT supply chain infrastructure and to define the required set of measures for assessing and verifying that appropriate protections have been implemented.

Prevalent Vendor Threat Monitor (VTM) continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data by monitoring the Internet and dark web for cyber threats and vulnerabilities — and correlating assessment findings with research on operational, financial, legal and brand risks.

Part of the cloud-based Prevalent Third-Party Risk Management Platform, VTM is integrated with questionnaire-based assessments to deliver a comprehensive, 360-degree view of vendor security and compliance.

(3) Security Assessments | External Organizations

Supplemental ICT SCRM Guidance: For ICT SCRM, organizations should consider using external security assessments for system integrators, suppliers, and external service providers. External assessments include certifications and third-party assessments, such as those driven by organizations such as the International Organization for Standardization (ISO), the National Information Assurance Partnership (Common Criteria), and The Open Group Trusted Technology Forum (OTTF), if such certifications meet agency needs.

The Prevalent Third-Party Risk Management Platform includes more than 75 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls.

CA-7 CONTINUOUS MONITORING

(3) Continuous Monitoring | Trend Analyses

Supplemental ICT SCRM Guidance: Information gathered during continuous monitoring/trend analysis serves as input into ICT SCRM decisions including criticality analysis, vulnerability and threat analysis, and risk assessment. It also provides information that can be used in incident response and potentially can identify an ICT supply chain compromise, including insider threat.

Cyber Threat Intelligence: Reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.

CP-2 CONTIGENCY PLAN

(7) Contingency Plan | Coordinate with External Service Providers

Supplemental ICT SCRM Guidance: Organizations should ensure that information systems and ICT supply chain infrastructure components provided by an external service provider have appropriate failover to reduce service interruption. Organizations should ensure that contingency planning requirements are defined as part of the service-level agreement. The agreement may have specific terms addressing critical components and functionality support in case of denial of service to ensure continuity of operation. Organizations should coordinate with external service providers to identify service providers’ existing contingency plan practices and build on them as required by the organization’s mission and business needs. Such coordination will aid in cost reduction and efficient implementation.

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES

(10) Incident Handling | Supply Chain Coordination

Supplemental ICT SCRM Guidance: A number of organizations may be involved in managing incidents and responses for supply chain security. After an initial processing of the incident is completed and a decision is made to take action (in some cases, the action may be “no action”), the organization may need to coordinate with their system integrators, suppliers, and external service providers to facilitate communications, incident response, root cause, and corrective actions activities. Organizations should securely share information through a coordinated set of personnel in key roles to allow for a more comprehensive incident handling approach. Selecting system integrators, suppliers, and external service providers with mature capabilities for supporting ICT supply chain incident handling is important for reducing ICT supply chain risk. If transparency for incident handling is limited due to the nature of the relationship, define a set of acceptable criteria in the agreement (e.g., contract). A review (and potential revision) of the agreement is recommended, based on the lessons learned from previous incidents.

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

RA-1 RISK ASSESSMENT POLICY AND PROCEDURES

Supplemental ICT SCRM Guidance: Risk assessments should be performed at the organization, mission/program, and system levels of the organization. The system-level risk assessment should include both the ICT supply chain infrastructure (e.g., development and testing environments, and delivery systems) and the information system/components traversing the ICT supply chain. A criticality analysis will ensure that mission-critical functions and components are given higher priority due to their impact to the mission, if compromised. The policy should include ICT supply chain-relevant roles applicable to performing and coordinating risk assessments across the organization (see Chapter 2 for the listing and description of roles). Applicable roles within acquirer, system integrator, external service providers, and supplier organizations should be defined.

The Prevalent Platform includes more than 75 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls.

Automatically generate a risk register upon survey completion, ensuring that the entire risk profile can be viewed in the centralized, real-time reporting dashboard – and reports can be downloaded and exported to determine compliance status. This filters out unnecessary noise and zeroes-in on areas of possible concern, providing visibility and trending to measure program effectiveness.

Take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.

RA-3 RISK ASSESSMENT

Supplemental ICT SCRM Guidance: Risk assessments should include consideration of criticality, threats, vulnerabilities, likelihood, and impact, as described in detail in Chapter 2, Integration of ICT SCRM into Risk Management. Data to be reviewed and collected includes ICT SCRM-specific roles, processes, and results of system/component implementation and acceptance. Risk assessments should be performed at Tiers 1, 2, and 3. Risk assessments at Tier 1 should be primarily a synthesis of various risk assessments performed at Tiers 2 and 3 and used for understanding the overall organizational impact.

The Prevalent Platform includes more than 75 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls.

SA-12 SUPPLY CHAIN PROTECTION

(2) Supply Chain Protection | Supplier Reviews

Supplemental ICT SCRM Guidance: The organization should define and implement a supplier review program to analyze system integrator, supplier, and external services provider activities where relevant. Usually, an agreement is reached between the organization and system integrators, suppliers, and/or external services providers that guides the level of traceability and visibility achievable. Organizations should be cautious in scoping the review program, as there are costs associated with data collection and keeping, managing, and analyzing the data for relevance once obtained.

Dedicated and custom contract assessment questionnaires enable comprehensive reviews by identifying potential breaches of contract and other risks.

Gain visibility into vendor contract status, contact information, risk and compliance status, performance metrics, and more via centralized dashboards, and leverage PowerBI integration for custom reporting.

Track resolution of issues throughout the remediation process to show risk reduction progress over time and report against KPIs.

8) Supply Chain Protection | Use of All-Source Intelligence

Supplemental ICT SCRM Guidance: Ensure that all-source threat and vulnerability information includes any available foreign ownership and control (FOCI) data. Review this data periodically as mergers and acquisitions, if affecting a supplier, may impact both threat and vulnerability information and therefore SCRM.

Cyber Threat Intelligence: Reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.

Business Updates: Access qualitative insights from over 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more.

Financial Insights: Tap into financial information from a global network of 365 million businesses. Access 5 years of organizational changes and financial performance, including turnover, profit and loss, shareholder funds, etc. Screen new vendors, monitor existing vendors, and evaluate their health for informed sourcing decisions.

Adverse Media Screening: Avoid working with corrupt businesses and individuals by screening them against an extensive database of profiles linked to illicit activities. By consolidating intelligence from 30,000 global news sources, Prevalent enables fast and comprehensive screening to protect your company and its reputation.

Global Sanctions Lists: Simultaneously screen against important sanctions lists (e.g., OFAC, EU, UN, BOE, FBI, BIS, etc.), plus over 1,000 global enforcement lists and court filings (e.g., FDA, US HHS, UK FSA, SEC, etc.) to proactively identify prohibited relationships.

State-Owned Enterprise Screening: Check companies against a proprietary list of government-owned and government-linked enterprises to avoid conflicts of interest.

Politically Exposed Persons (PEP) Screening: Demonstrate your commitment to fighting corruption and bribery by screening against a global PEP database. With access to over 1.8 million politically exposed person profiles, including their families and associates, Prevalent enables you to instantly identify potential vulnerabilities.

Breach Event Notification Monitoring: Access a database containing 10+ years of data breach history for thousands of companies around the world. Includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

NIST CSF V1.1 Guidelines How We Help

Supply Chain Risk Management (ID.SC)

ID.SC-2: Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.

Prevalent offers security, privacy, and risk management professionals an automated platform to manage the supply chain risk management process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

In addition to facilitating automated, periodic internal control-based assessments, the platform also provides cyber security and business monitoring – continually assessing the third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level. With the integration of internal assessments, external cyber monitoring and penetration testing, organizations gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks.

Supply Chain Risk Management (ID.SC)

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

The Prevalent Vendor Risk Assessment solution can implement customized questionnaires that verify the vendor is meeting the detailed requirements of the contract.

Supply Chain Risk Management (ID.SC)

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.

Supply Chain Risk Management (ID.SC)

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers.

In addition to facilitating automated, periodic internal control-based assessments, the platform also provides cyber security and business monitoring – continually assessing the third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level. With the integration of internal assessments, external cyber monitoring and penetration testing, organizations gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks.

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo