The National Institute of Standards and Technology (NIST) has issued special publications focused on improving Third-Party Risk Management (TPRM) and Supply Chain Risk Management (SCRM).

The NIST Cyber Security Framework (NIST CSF) special publication has become a popular option for its unique applicability to all industries with critical infrastructures.

NIST CSF isn’t a light read. With 5 functions, 23 categories, and 108 subcategories, identifying the NIST CSF security controls applicable to cyber supply chain risk management is a daunting task.

This post sets apart the specific security controls for third-party information security management and explains how to align risk management processes against these requirements.

Learn how UpGuard streamlines Vendor Risk Management >

What is the NIST Cybersecurity Framework (CSF)?

The NIST cybersecurity framework aggregates best cybersecurity practices to help organizations protect their digital assets from compromise. These best practices are distributed across five core functions:

  • Identify - Identify all assets and sensitive information within your information systems vulnerable to cybersecurity risks.
  • Protect - Implement appropriate data security measures to address all identified cybersecurity risks. Protection strategies could involve security policy updates, security awareness training, and the implementation of security risk mitigation tools.
  • Detect - Detect potential attack vectors through continuous monitoring of the entire attack surface. The service provider attack surface should especially be monitored since many cyberattacks are targeting third-party vendors.
  • Respond - Deploy rapid and controlled remediation efforts in line with a well-designed incident response plan.
  • Recover - Reinstate business as usual (BAU) operations by following a clear disaster recovery policy.

Learn more about the 5 core functions of NIST CSF >

Organizations can track the progress of implementing this NIST framework through a 4-tier maturity scale. The higher the tier, the closer an organization is to complying with the requirements of NIST CSF.

  1. Tier 1 (Partial)
  2. Tier 2 (Risk Informed)
  3. Tier 3 (Repeatable)
  4. Tier 4 (Adaptable)

Note: These tiers don't necessarily represent maturity levels. Organizations need to determine which tier best aligns cybersecurity risk exposure levels with operational and financial objectives.

Version 1.1 of the NIST Cybersecurity Frameworks can be accessed here.

Learn what's different in NIST CSF 2.0 >

Is Compliance with NIST CSF Mandatory?

All federal agencies are required to comply with NIST, as well as all members of the federal government supply chain, including prime contractors, subcontractors, and the subcontractors of subcontractors.

Other private sector businesses outside of this group are not obligated to comply with NIST CSF; however, compliance with at least the vendor risk security requirements of the framework is highly recommended.

Track NIST CSF alignment with this free tempate >

“NIST CSF is meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements.”

- US Regulator of Consumer Data Protection Laws

Thousands of independent cybersecurity professionals contributed to the development of NIST CSF to create an unbiased pathway for improving any organization's security baseline. This is one of the reasons why NIST CSF is growing in popularity. Instead of designing a risk management program from a blank canvas, businesses can comply with NIST CSF and follow a battle-tested maturity model to strengthen their security posture rapidly.

Learn how to choose a NIST CSF compliance product >

Because NIST CSF was developed by industry experts, its implementation will also help stakeholders address the critical information technology vulnerabilities commonly overlooked in cybersecurity programs, significantly reducing an organization’s risk of data breaches.

NIST CSF is a member of the NIST special publication series. There are three frameworks in this series:

  • NIST SP 800-53 Rev 5
  • NIST SP 800-161

Because each framework addresses supply chain security, there’s an overlap between the security controls in each publication. The security controls that fall outside this overlap could easily be mapped from the one standardized framework.

Learn more about NIST 800-53 Rev 5 >

Learn more about NIST 800-161 >

Do Third-Party Vendors Needs to Comply with NIST CSF?

Because NIST is not a mandatory regulation, third-party vendors are not required to comply with the framework. However, because NIST CSF could help any organization elevate its security posture, all vendors can demonstrate security due diligence by incorporating the framework in their security programs.

The exemplary security posture that’s possible with NIST CSF means that high-regulated vendors, such as those in the healthcare industry, could use the framework’s privacy controls to comply with mandatory regulations such as HIPAA.

Read our compliance guide for NIST in healthcare industry >

Supply Chain Risk Management Requirements in the NIST Cybersecurity Framework

NIST CSF leverages third-party risk from other popular frameworks, such as ISO 27001 and COBIT, to avoid excessive security control overlap when multiple frameworks are used in a risk management strategy.

The specific subcategories within NIST CSF that safeguard supply chain risk management are:

  • ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.
  • ID.SC-2: Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.
  • ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
  • ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other evaluations to confirm they are meeting their contractual obligations.
  • ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers

Meeting the Third-Party Risk Requirements in NIST CSF Version 1.1

The third-party risk requirements of NIST CSF can be addressed with the following best cybersecurity practices.

1. Continuous Monitoring of the Attack Surface

Attack surface monitoring will surface third-party security risks placing your supply chain at a heightening risk of compromise.

This effort could help you address subcategory ID.SC-1.

How UpGuard Can Help

UpGuard continuously monitors the third and even fourth-party attack surface to help you address security risks before cybercriminals discover them.

Try UpGuard for free for 7 days >

2. Tier Your Vendors

Vendor tiering is the process of categorizing vendors by their degree of risk criticality. This effort allows you to focus most of your security efforts on vendors with the greatest potential impacts on your security posture.

This effort could help you address subcategory ID.SC-2.

How UpGuard Can Help

UpGuard includes a Vendor Tiering feature that gives you complete control over the tiering process. This allows you to classify vendors based on your unique risk tolerance.

Learn more about vendor tiering >

3. Regularly Evaluate Third-Party Vendors with Security Assessments and Questionnaires

Security assessments and questionnaires enable detailed evaluations of each vendor’s cybersecurity practices. Submissions will also uncover any breaches of agreed security standards outlined in contracts.

This effort could help you address subcategory ID.SC-3.

Learn how to communicate third-party risk to the Board >

How UpGuard Can Help

UpGuard offers a comprehensive library of security questions mapping to popular cybersecurity frameworks, including the NIST cybersecurity frameworks.

These questionnaires can also be edited to accommodate your unique third-party risk requirements or completely customized from a blank canvas.

Learn more about UpGuard’s custom questionnaire builder >

4. Track Third-Party Vendor Security Postures with Security Ratings

Security ratings can be used as an authentication tool to verify the remediation efforts of vendors and as indicators of potential security lapses requiring further investigation.

This effort could help you address subcategory ID.SC-4.

How UpGuard Can Help

UpGuard’s security rating feature evaluates third-party security postures based on over 70 advanced attack vectors, including:

If you’d like to learn how UpGuard’s security rating capabilities compare to BitSight and SecurityScorecard, see our guide on SecurityScorecard security ratings vs. BitSight security ratings here.

5. Request the Findings of Regular Third-Party Vendor Pen Tests

Stipulate a regular pen testing schedule in onboarding contracts for all supply chain vendors. These tests should test access control security, asset management security, federal information system security, and any relevant risk management frameworks.

These tests' findings should be disclosed to your security teams, who will then evaluate each vendor’s recovery plan based on their pen test results.

This effort could help you address subcategory ID.SC-5.

How UpGuard Can Help

UpGuard helps you easily track and manage third-party remediation efforts to ensure vendors achieve the minimal security baseline required to execute their response plans successfully.

Watch the video below for an overview of UpGuard's risk assessment workflow.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?