JUST OUT: Read the 2019 Gartner Magic Quadrant for IT Vendor Risk Management

NIST SP 800-53r4 and NIST CSF v1.1 Compliance

Complying with NIST SP 800-53r4 and NIST CSF v1.1 Standards and Frameworks

The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organizations consider compliance with these standards and guidelines to be a top priority.

NIST and Third-Party Risk Management

NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organizations consider compliance with these standards and guidelines to be a top priority.

NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organizations. NIST Cybersecurity Framework v1.1 realizes that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses.  

Both NIST SP 800-53r4 and CSF v1.1 specify that:

  • a policy for managing risk should be in place
  • security controls should be selected
  • a policy should be codified in supplier agreements where appropriate
  • suppliers should be managed and audited to the requirements and controls

In the simplest terms, an organization needs to establish and implement the processes to identify, asses and manage supply chain risk.

Relevant Requirements

Applicable NIST SP 800-53r4 risk framework steps include:

  • Assessing if security controls are implemented correctly, operating as intended, and meeting requirements (Step 4)
  • Monitoring security controls on an ongoing basis to determine their effectiveness (Step 6)

NIST Cybersecurity Framework v1.1, Section 3.3 covers supply chain risk, including:

  • Determining cybersecurity requirements for suppliers
  • Enacting cybersecurity requirements through formal agreements (e.g., contracts)
  • Communicating to suppliers how cybersecurity requirements will be verified and validated
  • Verifying that cybersecurity requirements are met through assessment methodologies

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Read Now

Meeting NIST SP 800-53r4 and NIST CSF v1.1 Standards and Frameworks

Here's how Prevalent can help you address NIST third-party risk management standards and frameworks:

NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-53r4 Guidelines How Prevalent Helps

Chapter 2.5 External Service Providers

"FISMA and OMB policies require that federal agencies using external service providers assure that such use meets the same security requirements that federal agencies are required to meet. 

Organizations can require external providers to implement all steps in the Risk Management Framework.”

Prevalent offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.


NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1

NIST CSF v1.1 Guidelines How Prevalent Helps

Supply Chain Risk Management (ID.SC)

ID.SC-2: Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.

Prevalent offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

In addition to facilitating automated, periodic internal control-based assessments, the platform also provides cyber security and business monitoring – continually assessing the third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level. With the integration of internal assessments, external cyber monitoring and penetration testing, organizations gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks.


Supply Chain Risk Management (ID.SC)

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.


The Prevalent Assessment solution can implement customized questionnaires that verify the vendor is meeting the detailed requirements of the contract.

Supply Chain Risk Management (ID.SC)

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. 


The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.


Supply Chain Risk Management (ID.SC)

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers.


In addition to facilitating automated, periodic internal control-based assessments, the platform also provides cyber security and business monitoring – continually assessing the third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level. With the integration of internal assessments, external cyber monitoring and penetration testing, organizations gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks.


The Prevalent Difference

Delivered in the simplicity of the cloud, the Prevalent Third-Party Risk Management Platform provides deep, internal control-based assessments to help determine supplier compliance with IT security controls and data privacy requirements. Findings and remediation management between an organization and its suppliers ensure that required controls remain aligned with a company’s own risk appetite and tolerance levels. 

Ratings solutions that solely rely on an outside-in approach do nothing to determine what controls are in place, or what IT security and data privacy procedures a supplier follows. Prevalent delivers both an outside-in and inside-out view of supplier risk, enabling you to comply with NIST frameworks and standards.