NIST SP 800-53, SP 800-161 & CSF

Hero Image Solutions Compliance Nist Sp800

NIST and Third-Party Risk Management

The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. NIST's responsibilities include establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST publishes and maintains key resources for managing cybersecurity risks applicable to any company, many private sector organizations consider compliance with these standards and guidelines to be a top priority.

Several NIST special publications have specific controls that require organizations to establish and implement the processes to identify, assess and manage supply chain risk. These NIST special publications include:

SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
Cybersecurity Framework v1.1: Framework for Improving Critical Infrastructure Cybersecurity

Because NIST guidelines complement one another, organizations that standardize on one special publication and cross-map to the others – in effect meeting multiple requirements using a single framework. The Prevalent Third-Party Risk Management Platform can be used to meet NIST requirements for stronger supply chain security.

Relevant Requirements

Assess if security controls are implemented correctly, operating as intended, and meeting requirements
Monitor security controls on an ongoing basis to determine their effectiveness
Determine cybersecurity requirements for suppliers
Enact cybersecurity requirements through formal agreements (e.g., contracts)
Communicate to suppliers how cybersecurity requirements will be verified and validated
Verify that cybersecurity requirements are met through assessment methodologies

The NIST Third-Party Compliance Checklist

The NIST Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in NIST SP 800-53, NIST SP 800-161, and NIST CSF.

Read Now

Complying with NIST SP 800-53r5, SP 800-161r1 & CSF v1.1

The below summary tables map capabilities available in the Prevalent Third-Party Risk Management Platform to select third-party, vendor, or supplier controls present in SP 800-53, with SP 800-161 and the Cybersecurity Framework v1.1 control overlays applied to the tables to illustrate cross-mapping.

SP 800-53 r5 Control Number with SP 800-161r1 and CSF v1.1 Cross-Mapping	How We Help
SP 800 53 Control with SP 800-161 Overlay CA-2 (1) Control Assessments \| Specialized Assessments CA-2 (3) Control Assessments \| Leveraging Results from External Organizations CSF v1.1 Applicable Controls ID.RA-1: Asset Vulnerabilities are identified and documented. DE.DP-4: Event detection information is communicated.	The Prevalent Third-Party Risk Management Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that automatically maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls. Prevalent Vendor Threat Monitor (VTM) continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities. It also correlates assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response. With the Prevalent Platform, you can efficiently communicate with vendors and coordinate remediation efforts. Capture and audit conversations; record estimated completion dates; accept or reject submissions on an answer-by-answer basis; assign tasks based on risks, documents or entities; and match documentation and evidence to risks.
SP 800 53 Control with SP 800-161 Overlay CA-7 (3) Continuous Monitoring \| Trend Analyses CSF v1.1 Applicable Controls ID.RA-1: Asset Vulnerabilities are identified and documented. DE.AE-2: Detected events are analyzed to understand attack targets and methods. DE.AE-3: Event data are collected and correlated from multiple sources and sensors. DE.CM-1: The network is monitored to detect potential cybersecurity events. RS.AN-1: Notifications from detection systems are investigated. RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks.	Prevalent VTM reveals third-party cyber incidents for 550,000 actively tracked companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases. Prevalent then normalizes, correlates and analyzes information from across multiple inputs, including inside-out risk assessments and outside-in monitoring from Prevalent Vendor Threat Monitor and BitSight. This unified model provides context, quantification, management and remediation support.
SP 800 53 Control with SP 800-161 Overlay CP-2 (3) Contingency Plan \| Coordinate with External Service Providers CSF v1.1 Applicable Controls ID.BE-1: The organization’s role in the supply chain is identified and communicated. ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers. PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. DE.AE-4: Impact of events is determined. RS.RP-1: Response plan is executed during or after an incident. RS.CO-3: Information is shared consistent with response plans. RS.CO-4: Coordination with stakeholders occurs consistent with response plans. RS.AN-2: The impact of the incident is understood. RS.AN-4: Incidents are categorized consistent with response plans. RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.	The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact of supply chain breaches by centrally managing vendors, proactively conducting event assessments, scoring identified risks, and accessing remediation guidance. The Prevalent Platform includes unified capabilities for assessing, analyzing and addressing weaknesses in supplier business resilience plans. This enables you to proactively work with your supplier community to prepare for pandemics, environmental disasters, and other potential crises. In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals. All risk intelligence is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.
SP 800 53 Control with SP 800-161 Overlay IR-4 (3) Incident Handling \| Supply Chain Coordination CSF v1.1 Applicable Controls ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers. DE.AE-2: Detected events are analyzed to understand attack targets and methods. DE.AE-3: Event data are collected and correlated from multiple sources and sensors. DE.AE-4: Impact of events is determined. DE.AE-5: Incident alert thresholds are established. RS.RP-1: Response plan is executed during or after an incident. RS.CO-3: Information is shared consistent with response plans. RS.CO-4: Coordination with stakeholders occurs consistent with response plans. RS.AN-1: Notifications from detection systems are investigated. RS.AN-2: The impact of the incident is understood. RS.AN-4: Incidents are categorized consistent with response plans. RS.MI-2: Incidents are mitigated. RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.	The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, proactively conducting event assessments, scoring identified risks, and accessing remediation guidance. The Prevalent Platform includes unified capabilities for assessing, analyzing and addressing weaknesses in supplier business resilience plans. This enables you to proactively work with your supplier community to prepare for pandemics, environmental disasters, and other potential crises. In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals. All risk intelligence is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.
SP 800 53 Control with SP 800-161 Overlay IR-5 Incident Monitoring	Prevalent Contract Essentials is a SaaS solution that centralizes the distribution, discussion, retention, and review of vendor contracts. It also includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With Contract Essentials, your procurement and legal teams have a single solution to ensure that key contract clauses are in place, and that service levels and response times are managed.
SP 800 53 Control with SP 800-161 Overlay IR-6 (1) Incident Reporting \| Supply Chain Coordination CSF v1.1 Applicable Controls ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers. RS.CO-2: Incidents are reported consistent with established criteria.	All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.
SP 800 53 Control with SP 800-161 Overlay IR-8 Incident Response Plan	The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance. The Incident Response Services provides the foundation to be well prepared for board and executive questions regarding the impact of supply chain incidents; and demonstrate proof of your third-party breach response plan with auditors and regulators.
SP 800 53 Control with SP 800-161 Overlay PM-16 Threat Awareness Program CSF v1.1 Applicable Controls ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources. ID.RA-3: Threats, both internal and external, are identified and documented. ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.	Prevalent VTM reveals third-party cyber incidents for 550,000 actively tracked companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases. Prevalent then normalizes, correlates and analyzes information from across multiple inputs, including inside-out risk assessments and outside-in monitoring from Prevalent Vendor Threat Monitor and BitSight. This unified model provides context, quantification, management and remediation support. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.
SP 800 53 Control with SP 800-161 Overlay PM-31 Continuous Monitoring Strategy	Prevalent VTM reveals third-party cyber incidents for 550,000 actively tracked companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases. Prevalent then normalizes, correlates and analyzes information from across multiple inputs, including inside-out risk assessments and outside-in monitoring from Prevalent Vendor Threat Monitor and BitSight. This unified model provides context, quantification, management and remediation support. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.
SP 800 53 Control with SP 800-161 Overlay RA-1 Policy and Procedures	The Prevalent Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls. With the Prevalent Platform, you can automatically generate a risk register upon survey completion, ensuring that the entire risk profile (or a role-specific version) can be viewed in the centralized, real-time reporting dashboard – and reports can be downloaded and exported to determine compliance status. This filters out unnecessary noise and zeroes in on areas of possible concern, providing visibility and trending to measure program effectiveness. Then, you can take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.
SP 800 53 Control with SP 800-161 Overlay RA-3 Risk Assessment CSF v1.1 Applicable Controls ID.RA-1: Asset Vulnerabilities are identified and documented. ID.RA-3: Threats, both internal and external, are identified and documented. ID.RA-4: Potential business impacts and likelihoods are identified. ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process CSF DE.AE-4: Impact of events is determined. RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks.	The Prevalent Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls. Prevalent offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform also provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.
SP 800 53 Control with SP 800-161 Overlay RA-7 Risk Response	The Prevalent Platform features built-in guidance to remediate control failures or other identified risks to levels acceptable level to your organization. Prevalent also enables risk assessors to communicate with third parties about remediations, document conversations and updates, and store supporting control documentation in a centralized repository.
SP 800 53 Control with SP 800-161 Overlay RA-9 Criticality Analysis	Prevalent offers an inherent risk assessment questionnaire with clear scoring based on eight criteria to capture, track and quantify risks for all third parties. The assessment criteria includes: Type of content required to validate controls Criticality to business performance and operations Location(s) and related legal or regulatory considerations Level of reliance on fourth parties (to avoid concentration risk) Exposure to operational or client-facing processes *Interaction with protected data Financial status and health Reputation Using the inherent risk assessment, you can automatically tier suppliers, set appropriate levels of further diligence, and determine the scope of subsequent, periodic assessments. Rule-based tiering logic enables suppliers to be categorized based on a range of data interaction, financial, regulatory and reputational considerations.
SP 800 53 Control with SP 800-161 Overlay SA-4 (3) Acquisition Process \| Continuous Monitoring Plan for Controls CSF v1.1 Applicable Controls PR.IP-2: A System Development Life Cycle to manage systems is implemented. DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events.	In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform also provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.
SP 800 53 Control with SP 800-161 Overlay SI-4 (1) System Monitoring \| Integrated Situational Awareness CSF v1.1 Applicable Controls DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. DE.AE-2: Detected events are analyzed to understand attack targets and methods. DE.AE-3: Event data are collected and correlated from multiple sources and sensors. DE.AE-4: Impact of events is determined. DE.CM-1: The network is monitored to detect potential cybersecurity events. DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events. DE.DP-4: Event detection information is communicated. RS.CO-3: Information is shared consistent with response plans. RS.AN-1: Notifications from detection systems are investigated.	Prevalent VTM continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities — and correlating assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.
SP 800 53 Control with SP 800-161 Overlay SI-5 Security Alerts, Advisories and Directives CSF v1.1 Applicable Controls ID.RA-1: Asset Vulnerabilities are identified and documented. ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources. ID.RA-3: Threats, both internal and external, are identified and documented. RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness. RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers).	Prevalent VTM continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities — and correlating assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response. All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.

SP 800-53 r5 Control Number with SP 800-161r1 and CSF v1.1 Cross-Mapping

How We Help

SP 800 53 Control with SP 800-161 Overlay

CA-2 (1) Control Assessments | Specialized Assessments
CA-2 (3) Control Assessments | Leveraging Results from External Organizations

CSF v1.1 Applicable Controls

ID.RA-1: Asset Vulnerabilities are identified and documented.
DE.DP-4: Event detection information is communicated.

The Prevalent Third-Party Risk Management Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that automatically maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls.

Prevalent Vendor Threat Monitor (VTM) continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities. It also correlates assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response.

With the Prevalent Platform, you can efficiently communicate with vendors and coordinate remediation efforts. Capture and audit conversations; record estimated completion dates; accept or reject submissions on an answer-by-answer basis; assign tasks based on risks, documents or entities; and match documentation and evidence to risks.

SP 800 53 Control with SP 800-161 Overlay

CA-7 (3) Continuous Monitoring | Trend Analyses

CSF v1.1 Applicable Controls

ID.RA-1: Asset Vulnerabilities are identified and documented.
DE.AE-2: Detected events are analyzed to understand attack targets and methods.
DE.AE-3: Event data are collected and correlated from multiple sources and sensors.
DE.CM-1: The network is monitored to detect potential cybersecurity events.
RS.AN-1: Notifications from detection systems are investigated.
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks.

Prevalent VTM reveals third-party cyber incidents for 550,000 actively tracked companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.

Prevalent then normalizes, correlates and analyzes information from across multiple inputs, including inside-out risk assessments and outside-in monitoring from Prevalent Vendor Threat Monitor and BitSight. This unified model provides context, quantification, management and remediation support.

SP 800 53 Control with SP 800-161 Overlay

CP-2 (3) Contingency Plan | Coordinate with External Service Providers

CSF v1.1 Applicable Controls

ID.BE-1: The organization’s role in the supply chain is identified and communicated.
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers.
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
DE.AE-4: Impact of events is determined.
RS.RP-1: Response plan is executed during or after an incident.
RS.CO-3: Information is shared consistent with response plans.
RS.CO-4: Coordination with stakeholders occurs consistent with response plans.
RS.AN-2: The impact of the incident is understood.
RS.AN-4: Incidents are categorized consistent with response plans.
RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact of supply chain breaches by centrally managing vendors, proactively conducting event assessments, scoring identified risks, and accessing remediation guidance.

The Prevalent Platform includes unified capabilities for assessing, analyzing and addressing weaknesses in supplier business resilience plans. This enables you to proactively work with your supplier community to prepare for pandemics, environmental disasters, and other potential crises.

In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals.

All risk intelligence is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.

SP 800 53 Control with SP 800-161 Overlay

IR-4 (3) Incident Handling | Supply Chain Coordination

CSF v1.1 Applicable Controls

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers.
DE.AE-2: Detected events are analyzed to understand attack targets and methods.
DE.AE-3: Event data are collected and correlated from multiple sources and sensors.
DE.AE-4: Impact of events is determined.
DE.AE-5: Incident alert thresholds are established.
RS.RP-1: Response plan is executed during or after an incident.
RS.CO-3: Information is shared consistent with response plans.
RS.CO-4: Coordination with stakeholders occurs consistent with response plans.
RS.AN-1: Notifications from detection systems are investigated.
RS.AN-2: The impact of the incident is understood.
RS.AN-4: Incidents are categorized consistent with response plans.
RS.MI-2: Incidents are mitigated.
RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, proactively conducting event assessments, scoring identified risks, and accessing remediation guidance.

SP 800 53 Control with SP 800-161 Overlay

IR-5 Incident Monitoring

Prevalent Contract Essentials is a SaaS solution that centralizes the distribution, discussion, retention, and review of vendor contracts. It also includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With Contract Essentials, your procurement and legal teams have a single solution to ensure that key contract clauses are in place, and that service levels and response times are managed.

SP 800 53 Control with SP 800-161 Overlay

IR-6 (1) Incident Reporting | Supply Chain Coordination

CSF v1.1 Applicable Controls

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers.
RS.CO-2: Incidents are reported consistent with established criteria.

All risk intelligence in the Prevalent Platform is centralized, correlated and analyzed in a single risk register that automates reporting and response, and features a flexible weighted scoring model based on likelihood of an event and its impact.

SP 800 53 Control with SP 800-161 Overlay

IR-8 Incident Response Plan

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance. The Incident Response Services provides the foundation to be well prepared for board and executive questions regarding the impact of supply chain incidents; and demonstrate proof of your third-party breach response plan with auditors and regulators.

SP 800 53 Control with SP 800-161 Overlay

PM-16 Threat Awareness Program

CSF v1.1 Applicable Controls

ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources.
ID.RA-3: Threats, both internal and external, are identified and documented.
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.

SP 800 53 Control with SP 800-161 Overlay

PM-31 Continuous Monitoring Strategy

SP 800 53 Control with SP 800-161 Overlay

RA-1 Policy and Procedures

With the Prevalent Platform, you can automatically generate a risk register upon survey completion, ensuring that the entire risk profile (or a role-specific version) can be viewed in the centralized, real-time reporting dashboard – and reports can be downloaded and exported to determine compliance status. This filters out unnecessary noise and zeroes in on areas of possible concern, providing visibility and trending to measure program effectiveness. Then, you can take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.

SP 800 53 Control with SP 800-161 Overlay

RA-3 Risk Assessment

CSF v1.1 Applicable Controls

ID.RA-1: Asset Vulnerabilities are identified and documented.
ID.RA-3: Threats, both internal and external, are identified and documented.
ID.RA-4: Potential business impacts and likelihoods are identified.
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.
ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
CSF DE.AE-4: Impact of events is determined.
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks.

The Prevalent Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner security controls. Prevalent offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements.

In addition to facilitating automated, periodic internal control-based assessments, the Prevalent Platform also provides cyber security, business, reputational, and financial monitoring – continually assessing third parties to identify potential weaknesses that can be exploited by cyber criminals.

SP 800 53 Control with SP 800-161 Overlay

RA-7 Risk Response

The Prevalent Platform features built-in guidance to remediate control failures or other identified risks to levels acceptable level to your organization. Prevalent also enables risk assessors to communicate with third parties about remediations, document conversations and updates, and store supporting control documentation in a centralized repository.

SP 800 53 Control with SP 800-161 Overlay

RA-9 Criticality Analysis

Prevalent offers an inherent risk assessment questionnaire with clear scoring based on eight criteria to capture, track and quantify risks for all third parties. The assessment criteria includes:

Type of content required to validate controls
Criticality to business performance and operations
Location(s) and related legal or regulatory considerations
Level of reliance on fourth parties (to avoid concentration risk)
Exposure to operational or client-facing processes
*Interaction with protected data
Financial status and health
Reputation

Using the inherent risk assessment, you can automatically tier suppliers, set appropriate levels of further diligence, and determine the scope of subsequent, periodic assessments.

Rule-based tiering logic enables suppliers to be categorized based on a range of data interaction, financial, regulatory and reputational considerations.

SP 800 53 Control with SP 800-161 Overlay

SA-4 (3) Acquisition Process | Continuous Monitoring Plan for Controls

CSF v1.1 Applicable Controls

PR.IP-2: A System Development Life Cycle to manage systems is implemented.
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events.

SP 800 53 Control with SP 800-161 Overlay

SI-4 (1) System Monitoring | Integrated Situational Awareness

CSF v1.1 Applicable Controls

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed.
DE.AE-2: Detected events are analyzed to understand attack targets and methods.
DE.AE-3: Event data are collected and correlated from multiple sources and sensors.
DE.AE-4: Impact of events is determined.
DE.CM-1: The network is monitored to detect potential cybersecurity events.
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events.
DE.DP-4: Event detection information is communicated.
RS.CO-3: Information is shared consistent with response plans.
RS.AN-1: Notifications from detection systems are investigated.

Prevalent VTM continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities — and correlating assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response.

SP 800 53 Control with SP 800-161 Overlay

SI-5 Security Alerts, Advisories and Directives

CSF v1.1 Applicable Controls

ID.RA-1: Asset Vulnerabilities are identified and documented.
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources.
ID.RA-3: Threats, both internal and external, are identified and documented.
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers).

Navigate the TPRM Compliance Landscape

The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.

Read the Handbook

Complying with the NIST SP 800-53 Supply Chain Risk Management Control

The below table includes an extract of the SP 800-53 Supply Chain Risk Management control and how the Prevalent Platform addresses the requirements. For a complete mapping, please download the NIST Compliance Checklist.

SP 800-53 r5 Supply Chain Risk Management (SR) Control	How We Help
SR-1 Policy and Procedures	Prevalent Program Design Services define and document your third-party risk management program. You get a clear plan that accounts for your specific needs while incorporating best practices for end-to-end TPRM.
SR-2 Supply Chain Risk Management Plan	Prevalent Program Optimization Services help you to continually improve your Prevalent Platform deployment, ensuring that your TPRM program maintains the flexibility and agility it needs to meet evolving business and regulatory requirements.
SR-3 Supply Chain Controls and Processes	Prevalent Program Design Services define and document your third-party risk management program. You get a clear plan that accounts for your specific needs while incorporating best practices for end-to-end TPRM.
SR-5 Acquisition Strategies, Tools, and Methods	Prevalent helps procurement teams reduce cost, complexity and risk exposure during vendor selection. Our RFx Essentials solution provides centralized distribution, comparison, and management of RFPs and RFIs. It also helps you get ahead of potential supplier risks with demographic, 4th-party, and ESG scores – plus optional business, reputational, and financial risk insights. As a result, you’re able to take an important first step toward tackling risk in the third-party lifecycle. Once supplier selection is complete, Prevalent Contract Essentials centralizes the distribution, discussion, retention, and review of vendor contracts. It also includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With Contract Essentials, procurement and legal teams have a single solution to manage vendor contracts, simplify management and review, and reduce cost and risk.
SR-6 Supplier Assessments and Reviews	The Prevalent Platform includes more than 100 standardized risk assessment survey templates – including for NIST, ISO and many others — a custom survey creation wizard, and a questionnaire that maps responses to any compliance regulation or framework. All assessments are based on industry standards and address all information security topics as they pertain to supply chain partner and business resilience security controls. Prevalent VTM continuously tracks and analyzes externally observable threats to vendors and other third parties. The service complements and validates vendor-reported security control data from the Prevalent Platform by monitoring the Internet and dark web for cyber threats and vulnerabilities — and correlating assessment findings with research on operational, financial, legal and brand risks in a unified risk register that enables centralized risk triage and response.
SR-8 Notification Agreements	With the Prevalent Platform, you can collaborate on documents, agreements and certifications, such as NDAs, SLAs, SOWs and contracts, with built-in version control, task assignment and auto-review cadences. You can also manage all documents throughout the vendor lifecycle in centralized vendor profiles.
SR-13 Supplier Inventory	Prevalent offers an inherent risk assessment questionnaire with clear scoring based on eight criteria to capture, track and quantify risks for all third parties. Assessment criteria include: Type of content required to validate controls Criticality to business performance and operations Location(s) and related legal or regulatory considerations Level of reliance on fourth parties (to avoid concentration risk) Exposure to operational or client-facing processes Interaction with protected data Financial status and health Reputation Using the inherent risk assessment, you can automatically tier suppliers, set appropriate levels of further diligence, and determine the scope of subsequent, periodic assessments. Rule-based tiering logic enables suppliers to be categorized based on a range of data interaction, financial, regulatory and reputational considerations.

Complying with the NIST Cybersecurity Framework v1.1

The below table includes a breakout of the supply chain-specific controls in the Cybersecurity Framework v1.1 and how Prevalent helps address the controls. For a complete mapping, please download the NIST Compliance Checklist.

Cybersecurity Framework v1.1 Supply Chain Risk Management (SR) Control	How We Help
ID.SC-1: Identify, establish, assess, and manage cyber supply chain risk management processes, and ensure that organizational stakeholders agree.	Prevalent helps define and document your third-party risk management program with expert professional services. With our help you can build a clear plan that accounts for your specific needs while incorporating best practices for end-to-end TPRM.
ID.SC-2: Identify, prioritize, and assess suppliers and third-party partners of information systems, components, and services using a cyber supply chain risk assessment process.	Prevalent help onboard, profile, tier and score inherent risks across all third parties as a critical first step in the onboarding and prioritization stages of the vendor lifecycle.
ID.SC-3: Implement appropriate measures in supplier and third-party partner contracts to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.	With Prevalent, you can use dedicated and custom contract assessment questionnaires to enable comprehensive reviews by identifying potential breaches of contract and other risks. Customizable surveys make it easy to gather and analyze necessary performance and contract data in a single risk register.
ID.SC-4: Routinely assess suppliers and third-party partners using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.	Prevalent delivers a comprehensive solution to address all information security topics as they pertain to supply chain partner security controls.
ID.SC-5: Conduct response and recovery planning and testing with suppliers and third-party providers.	Prevalent helps your team identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting proactive event assessments, scoring identified risks, and accessing remediation guidance.

Featured Resources

Blog Post
Meeting NIST 800-53, NIST 800-161 and NIST CSF Third-Party Risk...

NIST has authored several industry standards that deal with identifying, assessing and managing supply chain risk...
White Paper
The NIST Third-Party Compliance Checklist

Bring your TPRM program into alignment with NIST SP 800-53, SP 800-161 and CSF.
Webinar
The Top 15 NIST Supply Chain Risk Management Controls

Compliance expert Thomas Humphreys reviews the top 15 NIST supply chain controls from SP 800-53 and...

Ready to get started?
Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
Request a Demo

NIST SP 800-53r5, NIST SP 800-161r1 and NIST CSF v1.1 Compliance

NIST and Third-Party Risk Management

Relevant Requirements

Meeting NIST 800-53, NIST 800-161 and NIST CSF Third-Party Risk...

The NIST Third-Party Compliance Checklist

The Top 15 NIST Supply Chain Risk Management Controls