How to Meet Third-Party Risk Requirements of NIST 800-161

The National Institute of Standards and Technology (NIST) has produced several publications addressing the different components of information security within the NIST 800 computer security series. Compliance across this entire NIST 800 series is expected for all internal and external service providers of government entities - such as the DoD federal agencies. Though not obliged to comply, many private organizations use the NIST 800 series as a maturity model for achieving a minimal baseline of cybersecurity, especially in the area of supply chain risk management (SCRM).

NIST has produced three special publications focused on mitigating supply chain attacks:

• NIST SP 800-53 Rev 5
• NIST SP 800-161
• NIST Cybersecurity Framework (NIST CSF)

In October 2021, NIST SP 800-161 was revised. The second public draft, known as NIST 800-161 Revision 1, includes two new appendices:

• Appendix E - Provides additional guidance to specific federal agencies related to FASCSA
• Appendix F - Provides a response to the directives outlined in section 4(c) of Executive Order 14028.

The second draft of the NIST SP 800-161 revision 1 can be accessed here.

The original NIST SP 800-161 publication can be accessed here.

This post will focus on the NIST 800-161 special publication and explain how its third-party risks mitigation metrics can be addressed.

What’s the Difference Between NIST 800-53 and NIST 800-161?

NIST 800-53 is the foundational framework for all security controls within the NIST 800 series. NIST 800-161 is considered a complementary addition to this foundation to further mature supply chain security programs. In other words, the NIST 800-53 framework is a prerequisite to the NIST 800-161 framework.

Utilize this free NIST 800-53 risk assessment template to evaluate your vendors' alignment with NIST 800-53 standards.

Implementing both risk management frameworks in SCRM programs is recommended for all businesses in public and private sectors. This will establish the most comprehensive template for mitigating ICT supply chain risks in business processes.

Related: Meeting the Third-Party Risk Management Requirements of NIST 800-53.

Is NIST 800-161 Compliance Mandatory?

Compliance with NIST’s special publications is mandatory for all U.S federal agencies. All other entities can choose whether they implement NIST frameworks in their information security policies.

However, all information and communication technology ecosystems can benefit from the risk management programs presented in special publication 800-161.

Use this checklsit to track compliance with NIST 800-161 >

NIST 800-161 ICT SCRM Control Family Summary

NIST 800-161 outlines several ICT SCRM relevant controls across 18 different control families:

1. Access Control
2. Awareness and training
3. Audit and Accountability
4. Security Assessment and Authorization
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response
9. Maintenance
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Program Management
14. Personnel Security
15. Risk Assessment
16. System and Services Acquisition
17. System and Communication Protection
18. System and Information Integrity.

For a summary of all the ICT SCRM controls within each family, refer to page 126 of NIST SP 800-161.

Learn how to communicate third-party risk to the Board >

Meeting Third-Party Risk Mitigation Requirements in NIST SP 800-161 with UpGuard

Because NIST 800-53 is a foundational framework for NIST SP 800-161, there’s an overlap between the security requirements of both frameworks.

Even with the exclusion of this overlap, the remaining list of ICT SCRM control is lengthy, and it would be inefficient to map compliance efforts to each individual control.

Instead, compliance is most efficiently achieved by following best cyber supply chain risk management practices.

Some suggested supply chain risk management practices for federal information systems and organizations are outlined below:

• Continuous monitoring of cybersecurity risks in the supply chain - Real-time tracking of attack surface exploits empowers organizations to address supply chain security risks before cybercriminals exploit them.
  
  UpGuard scans the entire third-party attack surface for security vulnerabilities that could facilitate supply chain attacks. Click here to learn more.

• Third-party risk remediation validation - Security ratings confirm vendors follow through with requested risk management processes. Security ratings also ensure service providers meet their contractual obligations to safeguard critical information.
  
  UpGuard assigns each third-party vendor a security rating based on over 70 attack vectors. Click here to learn more about security ratings.
  ‍
• Security questionnaire automation - Automate supply chain risk assessments mapping to regulatory and industry standards, such as ISO/IEC 27001, NIST, COBIT, and ISA.
  
  UpGuard offers an extensive library of security questionnaires, mapping to popular cybersecurity frameworks and standards. The following list of questionnaires are available on the UpGuard platform:

1. CyberRisk Questionnaire
2. ISO 27001 Questionnaire
3. Short Form Questionnaire
4. NIST Cybersecurity Framework Questionnaire
5. PCI DSS Questionnaire:
6. California Consumer Privacy Act (CCPA) Questionnaire
7. Modern Slavery Questionnaire
8. Pandemic Questionnaire
9. Security and Privacy Program Questionnaire
10. Web Application Security Questionnaire:
11. Infrastructure Security Questionnaire
12. Physical and Data Centre Security Questionnaire
13. COBIT 5 Security Standard Questionnaire
14. ISA 62443-2-1:2009 Security Standard Questionnaire
15. ISA 62443-3-3:2013 Security Standard Questionnaire
16. GDPR Security Standard Questionnaire
17. CIS Controls 7.1 Security Standard Questionnaire
18. NIST SP 800-53 Rev. 4 Security Standard Questionnaire
19. SolarWinds Questionnaire
20. Kaseya Questionnaire
    

See UpGuard’s questionnaire library in a live demo >

• Implement a Third-Party Risk Management Program (TPRM) - A TPRM will address the complete domain of third-party risk mitigation, including third-party assessments and regulatory requirements tracking. Outsourcing this effort to a TPRM service provider is becoming an increasingly popular decision amongst stakeholders seeking a scalable TPRM model.‍
• Rank third-party vendors by risk criticality - Prioritizing vendors with the most significant potential impact on security postures could significantly reduce the success rates of supply chain cyberattacks.
  
  UpGuard offers a Vendor Tiering feature to help you rank vendors based on their potential degree of impact on security postures.
  ‍

• Regularly update and test response plans - Response plans should be regularly exercised with unexpected penetration testing.
  
  Learn more about incident response planning.
  ‍
• Broaden the scope of vendor security information sharing - For the most accurate evaluation of an organization’s risk profile, risk assessments should be customizable. This will accommodate for the unique supply chain security objectives of critical infrastructures and privacy controls.
  
  With UpGuard’s customer questionnaire builder, you can create questionnaires by either modifying existing assessments or building upon a blank canvas. Learn more about UpGuard’s custom questionnaire builder.
  ‍
• Detect and shut down third-party data leaks - Data leaks help cybercriminals gain unauthorized access to vendors in the supply chain.
  UpGuard’s proprietary data leak detection engine discovers overlooked exposures across common hosts of data leak dumps, including dark web forums. Click here to learn more about data leaks.
• ‍Secure the vendor onboarding process - The vendor procurement process significantly impacts security posture. As a result, the risk profiles of prospective vendors should be heavily scrutinized - an effort that should continue throughout the entire lifecycle of all vendors.

Learn how OVO secured its vendor onboarding process with UpGuard >