NIST 800-53 outlines a list of security controls for protecting federal information systems from cyber threats and vulnerabilities leading to data breaches. With third-party vendors comprising a major region of federal attack surfaces, these entities also need to be monitored to ensure alignment with NIST 800-53 - Security and Privacy Controls for Information Systems and Organizations.
This post provides a template to inspire the design of your own vendor security questionnaire mapping to NIST SP 800-53. For an editable version of a vendor questionnaire mapping to NIST 800-53 revision 5, download this NIST 800-53 risk assessment template.
Vendor Questionnaire Template: NIST SP 800-53
Note: UpGuard offers a NIST 800-53 vendor questionnaire that automatically highlights alignment gaps based on vendor responses to support an efficient compliance strategy. For the most dependable supply chain risk management program, it’s highly recommended to manage your vendor security questionnaires on a scalable solution like UpGuard.
Learn how UpGuard streamlines Vendor Risk Management >
Security and Privacy Programs Assessment
This section evaluates the strength of a vendor’s set of policies governing their security and privacy programs.
1. Does your company have a developed security program in place?
- Yes
- No
- NA
- Free Text Field.
1 (a). If you answered Yes, does this program address the complete scope of digital information being processed in the organization?
- Yes
- No
- NA
- Free Text Field.
Security Control
This section evaluates the strength of a vendor’s security control strategy and its ability to protect private data from compromise.
1. Do you provide a notice to your customers advising them how you handle and protect personally identifiable information PII?
- Yes
- No
- NA
- Free Text Field.
1(a). If you answered Yes, provide a copy of this policy, either by pasting it in the free text field below or appending it to this completed questionnaire.
- Free Text Field.
1 (b). If you answered No, describe compensating controls that are in place or explain why you don’t consider this to be a security risk.
- Free Text Field
1 (c). If you’re in the process of implementing an external policy describing how you handle and protect personally identifiable information, advise the estimated timeframe for when this will be completed.
- Free Text Field
2. Do you have internal documentation outlining how to safely handle sensitive customer data?
- Yes
- No
- NA
- Free Text Field
2 (a). If you answered No, describe compensating controls that are in place or explain why you don’t consider this to be a security risk.
- Free Text Field
3. How often are internal audits of your security and privacy program conducted?
- Every three months
- Every six month
- Annually
- Free Text Field
4. Do you have a policy in place for mitigating the security risks posed by mobile devices?
- Yes
- No
- NA
- Free Text Field
5. Have you implemented a risk assessment program?
- Yes
- No
- NA
- Free Text Field
5 (a). If you answered Yes, how often are risk assessments completed for each vendor?
- Quarterly
- Bi-Annually
- Annually
- Other (specify below)
- Free Text Field
For an overview of an idealistic risk assessment workflow, watch this video.
6. Do you have a policy for prioritizing critical vendors in risk assessment plans?
- Yes
- No
- NA
- Free Text Field
6 (a). If you answered Yes, how do you determine which vendors need to be prioritized?
- Free Text Field
7. Do you have a cybersecurity solution for continuous monitoring of attack surfaces to discover emerging risks, either internally or across your service provider network (real-time monitoring)?
- Yes
- No
- NA
- Free Text Field
7 (a). Do you have a vulnerability scanning tool in place for discovering emerging attack vectors across all internet-facing assets?
- Yes
- No
- NA
- Free Text Field
8. Do you have security policies for mitigating insider threat risks?
- Yes
- No
- NA
- Free Text Field
9. How do you ensure onboarded vendors meet your security requirements as defined by your risk appetite?
- Yes
- No
- NA
- Free Text Field
10. Do you have any vendors currently exceeding your risk appetite baseline?
- Yes
- No
- NA
- Free Text Field
11. Do you incorporate penetration testing in your strategy for maintaining a resilient control baseline?
- Yes
- No
- NA
- Free Text Field
11 (a). If you answered Yes, how often do you perform penetration tests?
- Quarterly
- Bi-Annually
- Annually
- Other (specify below)
- Free Text Field
Personnel Security
This section evaluates the likelyhood of staff facilitating security incidents.
1. Do you keep an up-to-date record of all employee user accounts and their respective access control levels?
- Yes
- No
- NA
- Free Text Field
2. Do you have a policy in place ensuring sensitive data is only accessed on a need-to-know basis?
- Yes
- No
- NA
- Free Text Field
3. Do you have a policy in place ensuring only authorized users have access to sensitive resources?
- Yes
- No
- NA
- Free Text Field
4. Do you have a methodology in place for protecting privileged user accounts?
- Yes
- No
- NA
- Free Text Field
5. Do you have contingency plans in place for when privileged user accounts are compromised?
- Yes
- No
- NA
- Free Text Field
6. Are government contractors and information security assessors required to sign congenitally agreements to ensure customer data remains protected?
- Yes
- No
- NA
- Free Text Field
7. Do you have formal management processes of system security plans for protecting account authentication information, such as passwords and digital certificates?
- Yes
- No
- NA
- Free Text Field
8. Are user account access levels regularly reviewed?
- Yes
- No
- NA
- Free Text Field
8.1. If you answered Yes, how often do these reviews happen?
- Quarterly
- Bi-Annually
- Annually
- Other (specify below)
- Free Text Field
9. Do your employees complete cyber threat awareness training regularly?
- Yes
- No
- NA
- Free Text Field
9 (a). If you answered Yes, how often does this training occur?
- Quarterly
- Bi-Annually
- Annually
- Other (specify below)
- Free Text Field
9 (b). If you answered Yes, provide an outline of what is covered in each training module.
- Free Text Field
9 (c). If you answered Yes, does your program management policy regularly update this training?
- Yes
- No
- NA
- Free Text Field
For an editable version of a vendor questionnaire mapping to NIST 800-53 revision 5, download this NIST 800-53 risk assessment template.
10. Does your physical and environmental protection policy ensure all means of physical and digital access to your network are revoked from offboarded contractors and employees, including remote access?
- Yes
- No
- NA
- Free Text Field
Regulatory Compliance
This section will help you evaluate the level of risk your vendors pose to your regulatory compliance efforts.
1. List all of the regulations you are bound to
- Free Text Field
2. Do you have a process in place for tracking emerging regulatory requirements?
- Yes
- No
- NA
- Free Text Field
3. Do you have a process in place for tracking regulatory compliance gaps, internally and across your vendor network
- Free Text Field
4. Do you have a system for prioritizing critical regulatory compliance risk remediation tasks?
- Yes
- No
- NA
- Free Text Field
Infrastructure Security
These questions will help you discover security risks associated with a vendor’s IT Infrastructure.
1. Do you have configuration management tools enabling secure configuration settings?
- Yes
- No
- NA
- Free Text Field
2. Do you facilitate remote access to your infrastructure?
- Yes
- No
- NA
- Free Text Field
2 (a). If you answered Yes, do these remote access mechanisms undergo security testing to uncover potentially exploitable vulnerabilities?
- Yes
- No
- NA
- Free Text Field
3. Do you have a patch management program for keeping your network infrastructure secured with the latest patches?
- Yes
- No
- NA
- Free Text Field
3 (a). If you answered Yes, do you automate patch updates?
- Yes
- No
- NA
- Free Text Field
4. Do you conduct security control assessments for evaluating the cybersecurity of your cloud infrastructures?
- Yes
- No
- NA
- Free Text Field
4 (a). If you answered Yes, how often do these assessments occur?
- Monthly
- Quarterly
- Bi-annually
- Annually
- Other (specify below)
Server Security
This section evaluates the likelihood of a vendor’s servers acting as attack vectors facilitating data breaches.
1. Do you follow a server hardening protocol?
- Yes
- No
- NA
- Free Text Field
1 (a). If you answered Yes, provide an overview of the hardening process.
- Free Text Field.
2. How do you ensure your servers are protected with the latest security patches?
- Free Text Field
3. Which operating systems are your servers running on?
- Microsoft Windows
- Unix (including Linux, Solaris, etc.)
4. Are servers housing sensitive data segmented and inaccessible by general access users?
- Yes
- No
- NA
- Free Text Field
Learn more about network segmentation >
5. How often is your list of privileged access users audited?
- Monthly
- Quarterly
- Bi-annually
- Annually
- Other (specify below)
6. Describe how your server backups are stored
For example, on disks, removable drives, other servers, etc.
- Free Text Field
7. List all of the geographical locations of your servers (including backup servers).
- Free Text Field
8. How often are these backups tested?
- Monthly
- Quarterly
- Bi-annually
- Annually
- Other (specify below)
- Free Text Field
Email Security
These questions will help you understand the likelihood of a vendor being compromised through an email-based cyberattack.
1. Describe the security controls you have in place for defending against email-based attacks.
For example, phishing, email spoofing, etc.
- Free Text Field
2. Have you suffered any email-based attacks in the last 12 months?
- Yes
- No
- NA
- Free Text Field
2 (a) If you have, were any of these attacks successful?
If so, describe the impact of the attack.
- Yes
- No
- NA
- Free Text Field
3. Are your emails encrypted while in transit?
For example, using Transport Layer Security (TLS).
- Yes
- No
- NA
- Free Text Field
Client Workstation Security
This section will uncover the likelihood of endpoints acting as attack vectors and uncover security enhancement potentials.
1. How do you ensure client workstations and remote endpoints are hardened against cyber threats?
- Free Text Field
2. Does your Incident Response Plan address situations where remote endpoints are compromised?
- Yes
- No
- NA
- Free Text Field
3. Select the types of devices and information system components covered with malware protection.
- Mobile Devices
- Windows workstations
- Non-windows workstations
4. Do any remote endpoints or workstations share passwords?
- Yes
- No
- NA
- Free Text Field
5. Do any workstations use default administrative passwords?
- Yes
- No
- NA
- Free Text Field
6. Do you have a media protection policy defending against malware injections from external devices (such as USBs and hard drives)?
- Yes
- No
- NA
- Free Text Field
Data Management
This section evaluates the security of the vendor’s data management strategy.
1. Do you use an active directory tool to track sensitive information across technology systems?
- Yes
- No
- NA
- Free Text Field
1 (a). If you answered Yes, does this active directory tool also monitor sensitive data shared with third-party services?
- Yes
- No
- NA
- Free Text Field
2. Do you have separate network segments for your sensiitve data and sensitive data belonging to your customers?
- Yes
- No
- NA
- Free Text Field
Asset Management
This section evaluates the strength of the vendor’s asset management strategy, which could reveal overlooked attack surface regions vulnerable to compromise.
1. How do you ensure your IT asset inventory remains up-to-date?
- Free Text Field
2. Do you have an attack surface management program in place to protect IT assets from compromise?
- Yes
- No
- NA
- Free Text Field
2 (a). If you answered Yes, how do you track the functionality and efficacy of your ASM program?
- Free Text FIeld
3. Do you regularly keep stakeholders informed of your attack surface management efforts?
- Yes
- No
- NA
- Free Text Field
4. How do you ensure system and information integrity is maintained across your IT assets when a cyber threat breaches your network?
- Free Text Field
For an overview of how an Attack Surface Management strategy could reduce your risk of suffering a data breach, watch this video.
Streamline NIST 800-53 Questionnaire Management with UpGuard
The UpGuard platform offers customizable security questionnaires mapping to the NIST special publication 800-53 and many other popular regulations and standards, including DORA, NIST CSF and ISO 27001.
To start tracking vendor compliance with NIST 800-53, you can download this free NIST 800-53 risk assessment template.