The National Institute of Standards and Technology (NIST) has issued special publications focused on improving Third-Party Risk Management (TPRM) and Supply Chain Risk Management (SCRM).
The NIST Cyber Security Framework (NIST CSF) special publication has become a popular option for its unique applicability to all industries with critical infrastructures.
NIST CSF isn’t a light read. With 5 functions, 23 categories, and 108 subcategories, identifying the NIST CSF security controls applicable to cyber supply chain risk management is a daunting task.
This post sets apart the specific security controls for third-party information security management and explains how to align risk management processes against these requirements.
Learn how UpGuard streamlines Vendor Risk Management >
What is the NIST Cybersecurity Framework (CSF)?
The NIST Cybersecurity Framework aggregates best cybersecurity practices to help organizations protect their digital assets from compromise. These best practices are now distributed across six core functions in NIST CSF 2.0:
- Identify: Identify all assets and sensitive data within your information systems that are vulnerable to cybersecurity risks.
- Protect: Implement appropriate data security measures to address all identified cybersecurity risks. Protection strategies could involve security policy updates, security awareness training, and implementing security risk mitigation tools.
- Detect: Detect potential attack vectors through continuous monitoring of the entire attack surface. The service provider attack surface should be especially monitored since many cyberattacks target third-party vendors.
- Respond: Deploy rapid and controlled remediation efforts in line with a well-designed incident response plan.
- Recover: Reinstate business as usual (BAU) operations by following a clear disaster recovery policy. NIST CSF 2.0 expands upon the recovery function to support faster restoration of disrupted services.
- Govern - New in NIST CSF 2.0, this function consolidates governance outcomes, making it easier for non-technical stakeholders to engage in cybersecurity decision-making, ensuring cybersecurity is better aligned with broader governance goals.
Organizations can track their progress in implementing this framework through a four-tier maturity scale. The higher the tier, the closer an organization is to complying with the requirements of NIST CSF 2.0.
- Tier 1 (Partial)
- Tier 2 (Risk Informed)
- Tier 3 (Repeatable)
- Tier 4 (Adaptable)
Note: These tiers don't necessarily represent maturity levels. Organizations must determine which tier best aligns cybersecurity risk exposure levels with operational and financial objectives.
You can download Version 2.0 of the NIST Cybersecurity Framework here.
Is compliance with NIST CSF mandatory?
All federal agencies are required to comply with NIST, as well as all members of the federal government supply chain, including prime contractors, subcontractors, and the subcontractors of subcontractors.
Other private sector businesses outside this group are not obligated to comply with NIST CSF; however, compliance with at least the framework's vendor risk security requirements is highly recommended.
Track NIST CSF alignment with this free tempate >
“NIST CSF is meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements.”
- US Regulator of Consumer Data Protection Laws
You can ensure your vendors follow NIST CSF requirements by using this free NIST CSF risk assessment template.
Thousands of independent cybersecurity professionals contributed to the development of NIST CSF, now updated to NIST CSF 2.0, to create an unbiased pathway for improving any organization's security baseline. This is one of the reasons why NIST CSF is growing in popularity. Instead of designing a risk management program from a blank canvas, businesses can comply with NIST CSF 2.0 and follow a battle-tested maturity model to strengthen their security posture rapidly.
Learn how to choose a NIST CSF compliance product >
Because NIST CSF was developed by industry experts, stakeholders with limited cybersecurity knowledge can use the framework to identify and manage critical information security vulnerabilities, significantly reducing an organization’s risk of data breaches.
NIST CSF is a member of the NIST special publication series. There are three frameworks in this series:
Because each framework addresses supply chain security, there’s an overlap between the security controls in each publication. The security controls outside this overlap could easily be mapped from the one standardized framework.
Do third-party vendors need to comply with NIST CSF?
Because NIST is not a mandatory regulation, third-party vendors are not required to comply with the framework. However, because NIST CSF 2.0 could help any organization elevate its security posture, all vendors can demonstrate security due diligence by incorporating the framework in their security programs.
The exemplary security posture possible with NIST CSF means that high-regulated vendors, such as those in the healthcare industry, could use the framework’s privacy controls to comply with mandatory regulations such as HIPAA.
Read our compliance guide for NIST in the healthcare industry >
Supply chain risk management requirements in the NIST cybersecurity framework
In NIST CSF 2.0, Cybersecurity Supply Chain Risk Management (C-SCRM) is now part of the Govern function (GV.SC). Integrating C-SCRM within the Govern function emphasizes the leadership team's increased involvement in supply chain risk management, a change that elevates C-SCRM from an operational concern to a strategic concern.
The specific subcategories within NIST CSF 2.0 that safeguard supply chain risk management under the Govern function are:
- GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders.
- GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally.
- GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes.
- GV.SC-04: Suppliers are known and prioritized by criticality.
- GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties.
- GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships.
- GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship.
- GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities.
- GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle.
- GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement.
Meeting the Third-Party Risk Requirements in NIST CSF Version 2.0
The third-party risk requirements of NIST CSF can be addressed with the following best cybersecurity practices, as aligned with the Govern function (GV) and Cybersecurity Supply Chain Risk Management (GV.SC) subcategories.
1. Continuous monitoring of the attack surface
Attack surface monitoring will expose third-party security risks, putting your supply chain at a heightened risk of compromise. This effort aligns with the subcategory GV.SC-07 addresses the monitoring, prioritization, and management of supplier risks throughout the relationship.
How UpGuard can help:
UpGuard's attack surface monitoring tool can help you map your digital footprint and discover vulnerabilities in your internal and external IT ecosystem that can be exploited by cybercriminals.
Watch this video to learn how UpGuard's ASM tool can help you discover even the most obscure technologies in your attack surface.
Try UpGuard for free for 7 days >
2. Tier your vendors
Vendor tiering is the process of categorizing vendors by their degree of risk criticality. This effort allows you to focus security efforts on vendors with the greatest potential impacts on your security posture, an effort that could support alignment with GV.SC-04, which emphasizes the prioritization of suppliers by criticality.
How UpGuard can help:
UpGuard includes a Vendor Tiering feature that gives you complete control over the tiering process. This allows you to classify vendors based on your unique risk tolerance.
3. Regularly evaluate third-party vendors with security assessments and questionnaires
Security assessments and questionnaires enable detailed evaluations of each vendor’s cybersecurity practices. Submissions will also uncover any breaches of agreed security standards outlined in contracts. This effort aligns with the subcategory GV.SC-05, which requires cybersecurity risk management processes to be integrated into contracts and agreements with suppliers.
Learn how to communicate third-party risk to the Board >
How UpGuard can help:
UpGuard offers a comprehensive library of security questions mapping to popular cybersecurity frameworks, including the NIST cybersecurity frameworks. UpGuard Trust Exchange streamlines vendor questionnaire management, automating the most cumbersome manual tasks commonly involved in this effort.
Sign up to Trust Exchange for free >
4. Track third-party vendor security postures with Security Ratings
Security ratings can be used to detect emerging third-party security risks and confirm the efficacy of a vendor's risk remediation efforts. This process aligns with the subcategory GV.SC-09 calls for continuous monitoring of supply chain security practices throughout the product/service lifecycle.
How UpGuard can help:
UpGuard’s security rating feature considers ten categories of attack vectors to produce the most accurate measurement of a vendor's security posture.
Learn more about UpGuard's security ratings >
If you’d like to learn how UpGuard’s security rating capabilities compare to BitSight and SecurityScorecard, see our guide on SecurityScorecard security ratings vs. BitSight security ratings here.
5. Request the findings of regular third-party vendor pen tests.
Stipulate a regular pen testing schedule in onboarding contracts for all supply chain vendors. These tests should assess access control security, asset management security, and federal information system security, as well as compliance with relevant risk management frameworks. The test findings should be disclosed to your security teams, who will evaluate each vendor’s recovery plan based on their pen test results. This effort aligns with the subcategory GV.SC-08, which emphasizes including suppliers in incident planning, response, and recovery activities.
How UpGuard can help:
UpGuard helps you easily track and manage third-party remediation efforts, ensuring vendors meet the minimum security baseline required to execute response plans successfully.