The National Institute of Standards and Technology (NIST) has produced several publications addressing the different components of information technology security within the NIST 800 computer security series. Compliance across this entire NIST 800 series is expected for all internal and external service providers of government entities - such as the DoD federal agencies. Though not obliged to comply, many private organizations use the NIST 800 series as a maturity model for achieving a minimal baseline of cybersecurity, especially in the area of supply chain risk management (SCRM).
NIST has produced three special publications focused on mitigating supply chain attacks:
- NIST SP 800-53 Rev 5
- NIST SP 800-161
- NIST Cybersecurity Framework (NIST CSF)
In October 2021, NIST SP 800-161 was revised. The second public draft, known as NIST 800-161 Revision 1, includes two new appendices:
- Appendix E - Provides additional guidance to specific federal agencies related to FASCSA
- Appendix F - Provides a response to the directives outlined in section 4(c) of Executive Order 14028.
The second draft of the NIST SP 800-161 revision 1 can be accessed here.
The original NIST SP 800-161 publication can be accessed here.
This post will focus on the NIST 800-161 special publication and explain how its third-party risks mitigation metrics can be addressed.
What’s the Difference Between NIST 800-53 and NIST 800-161?
NIST 800-53 is the foundational framework for all security controls within the NIST 800 series. NIST 800-161 is considered a complementary addition to this foundation to further mature supply chain security programs. In other words, the NIST 800-53 framework is a prerequisite to the NIST 800-161 framework.
Implementing both risk management frameworks in SCRM programs is recommended for all businesses in public and private sectors. This will establish the most comprehensive template for mitigating ICT supply chain risks in business processes.
Is NIST 800-161 Compliance Mandatory?
Compliance with NIST’s special publications is mandatory for all U.S federal agencies. All other entities can choose whether they implement NIST frameworks in their information security policies.
However, all information and communication technology ecosystems can benefit from the risk management programs presented in special publication 800-161.
NIST 800-161 ICT SCRM Control Family Summary
NIST 800-161 outlines several ICT SCRM relevant controls across 18 different control families:
- Access Control
- Awareness and training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental Protection
- Program Management
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communication Protection
- System and Information Integrity.
For a summary of all the ICT SCRM controls within each family, refer to page 126 of NIST SP 800-161.
Meeting Third-Party Risk Mitigation Requirements in NIST SP 800-161 with UpGuard
Because NIST 800-53 is a foundational framework for NIST SP 800-161, there’s an overlap between the security requirements of both frameworks.
Even with the exclusion of this overlap, the remaining list of ICT SCRM control is lengthy, and it would be inefficient to map compliance efforts to each individual control.
Instead, compliance is most efficiently achieved by following best cyber supply chain risk management practices.
Some suggested supply chain risk management practices for federal information systems and organizations are outlined below:
- Continuous monitoring of cybersecurity risks in the supply chain - Real-time tracking of attack surface exploits empowers organizations to address supply chain security risks before cybercriminals exploit them.
UpGuard scans the entire third-party attack surface for security vulnerabilities that could facilitate supply chain attacks. Click here to learn more.
- Third-party risk remediation validation - Security ratings confirm vendors follow through with requested risk management processes. Security ratings also ensure service providers meet their contractual obligations to safeguard critical information.
UpGuard assigns each third-party vendor a security rating based on over 70 attack vectors. Click here to learn more about security ratings.
- Security questionnaire automation - Automate supply chain risk assessments mapping to regulatory and industry standards, such as ISO IEC, NIST, COBIT, and ISA.
UpGuard offers an extensive library of security questionnaires, mapping to popular cybersecurity frameworks and standards. The following list of questionnaires are available on the UpGuard platform:
- CyberRisk Questionnaire
- ISO 27001 Questionnaire
- Short Form Questionnaire
- NIST Cybersecurity Framework Questionnaire
- PCI DSS Questionnaire:
- California Consumer Privacy Act (CCPA) Questionnaire
- Modern Slavery Questionnaire
- Pandemic Questionnaire
- Security and Privacy Program Questionnaire
- Web Application Security Questionnaire:
- Infrastructure Security Questionnaire
- Physical and Data Centre Security Questionnaire
- COBIT 5 Security Standard Questionnaire
- ISA 62443-2-1:2009 Security Standard Questionnaire
- ISA 62443-3-3:2013 Security Standard Questionnaire
- GDPR Security Standard Questionnaire
- CIS Controls 7.1 Security Standard Questionnaire
- NIST SP 800-53 Rev. 4 Security Standard Questionnaire
- SolarWinds Questionnaire
- Kaseya Questionnaire
- Implement a Third-Party Risk Management Program (TPRM) - A TPRM will address the complete domain of third-party risk mitigation, including third-party assessments and regulatory requirements tracking. Outsourcing this effort to a TPRM service provider is becoming an increasingly popular decision amongst stakeholders seeking a scalable TPRM model.
UpGuard’s managed TPRM service, CyberResearch, helps organizations scale their TPRM efforts rapidly and efficiently. Click here to learn more about CyberResearch.
- Rank third-party vendors by risk criticality - Prioritizing vendors with the most significant potential impact on security postures could significantly reduce the success rates of supply chain cyberattacks.
UpGuard offers a Vendor Tiering feature to help you rank vendors based on their potential degree of impact on security postures. Click here to learn more about Vendor Tiering.
- Regularly update and test response plans - Response plans should be regularly exercised with unexpected penetration testing.
Click here to learn more about incident response planning.
- Broaden the scope of vendor security information sharing - For the most accurate evaluation of an organization’s risk profile, risk assessments should be customizable. This will accommodate for the unique supply chain security objectives of critical infrastructures and privacy controls.
With UpGuard’s customer questionnaire builder, you can create questionnaires by either modifying existing assessments or building upon a blank canvas. Click here to learn more about UpGuard’s custom questionnaire builder.
- Detect and shut down third-party data leaks - Data leaks help cybercriminals gain unauthorized access to vendors in the supply chain.
UpGuard’s proprietary data leak detection engine discovers overlooked exposures across common hosts of data leak dumps, including dark web forums. Click here to learn more about data leaks.
- Secure the vendor onboarding process - The vendor procurement process significantly impacts security posture. As a result, the risk profiles of prospective vendors should be heavily scrutinized - an effort that should continue throughout the entire lifecycle of all vendors.
Click here to learn how OVO secured its vendor onboarding process with UpGuard.