NIST and Third-Party Risk Management
NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organizations consider compliance with these standards and guidelines to be a top priority.
NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organizations. NIST Cybersecurity Framework v1.1 realizes that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses.
Both NIST SP 800-53r4 and CSF v1.1 specify that:
- a policy for managing risk should be in place
- security controls should be selected
- a policy should be codified in supplier agreements where appropriate
- suppliers should be managed and audited to the requirements and controls
In the simplest terms, an organization needs to establish and implement the processes to identify, asses and manage supply chain risk.