How to Meet Third-Party Risk Requirements of NIST 800-161

How to Meet Third-Party Risk Requirements of NIST 800-161

Edward Kost
Edward Kost
updated Apr 28, 2022

The National Institute of Standards and Technology (NIST) has produced several publications addressing the different components of information technology security within the NIST 800 computer security series. Compliance across this entire NIST 800 series is expected for all internal and external service providers of government entities - such as the DoD federal agencies. Though not obliged to comply, many private organizations use the NIST 800 series as a maturity model for achieving a minimal baseline of cybersecurity, especially in the area of supply chain risk management (SCRM).

NIST has produced three special publications focused on mitigating supply chain attacks:

In October 2021, NIST SP 800-161 was revised. The second public draft, known as NIST 800-161 Revision 1, includes two new appendices:

  • Appendix E - Provides additional guidance to specific federal agencies related to FASCSA
  • Appendix F - Provides a response to the directives outlined in section 4(c) of Executive Order 14028.

The second draft of the NIST SP 800-161 revision 1 can be accessed here.

The original NIST SP 800-161 publication can be accessed here.

This post will focus on the NIST 800-161 special publication and explain how its third-party risks mitigation metrics can be addressed.

What’s the Difference Between NIST 800-53 and NIST 800-161?

NIST 800-53 is the foundational framework for all security controls within the NIST 800 series. NIST 800-161 is considered a complementary addition to this foundation to further mature supply chain security programs. In other words, the NIST 800-53 framework is a prerequisite to the NIST 800-161 framework.

Implementing both risk management frameworks in SCRM programs is recommended for all businesses in public and private sectors. This will establish the most comprehensive template for mitigating ICT supply chain risks in business processes.

Is NIST 800-161 Compliance Mandatory?

Compliance with NIST’s special publications is mandatory for all U.S federal agencies. All other entities can choose whether they implement NIST frameworks in their information security policies.

However, all information and communication technology ecosystems can benefit from the risk management programs presented in special publication 800-161.

NIST 800-161 ICT SCRM Control Family Summary

NIST 800-161 outlines several ICT SCRM relevant controls across 18 different control families:

  1. Access Control
  2. Awareness and training
  3. Audit and Accountability
  4. Security Assessment and Authorization
  5. Configuration Management
  6. Contingency Planning
  7. Identification and Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical and Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Risk Assessment
  16. System and Services Acquisition
  17. System and Communication Protection
  18. System and Information Integrity.

For a summary of all the ICT SCRM controls within each family, refer to page 126 of NIST SP 800-161.

Meeting Third-Party Risk Mitigation Requirements in NIST SP 800-161 with UpGuard

Because NIST 800-53 is a foundational framework for NIST SP 800-161, there’s an overlap between the security requirements of both frameworks.

overlap between TPRM requirements of NIST 800-53 and NIST 00-161

Even with the exclusion of this overlap, the remaining list of ICT SCRM control is lengthy, and it would be inefficient to map compliance efforts to each individual control.

Instead, compliance is most efficiently achieved by following best cyber supply chain risk management practices.

Some suggested supply chain risk management practices for federal information systems and organizations are outlined below:

  • Continuous monitoring of cybersecurity risks in the supply chain - Real-time tracking of attack surface exploits empowers organizations to address supply chain security risks before cybercriminals exploit them.

    UpGuard scans the entire third-party attack surface for security vulnerabilities that could facilitate supply chain attacks. Click here to learn more.
  • Third-party risk remediation validation - Security ratings confirm vendors follow through with requested risk management processes. Security ratings also ensure service providers meet their contractual obligations to safeguard critical information.

    UpGuard assigns each third-party vendor a security rating based on over 70 attack vectors. Click here to learn more about security ratings.
  • Security questionnaire automation - Automate supply chain risk assessments mapping to regulatory and industry standards, such as ISO IEC, NIST, COBIT, and ISA.

    UpGuard offers an extensive library of security questionnaires, mapping to popular cybersecurity frameworks and standards. The following list of questionnaires are available on the UpGuard platform:
  1. CyberRisk Questionnaire
  2. ISO 27001 Questionnaire
  3. Short Form Questionnaire
  4. NIST Cybersecurity Framework Questionnaire
  5. PCI DSS Questionnaire:
  6. California Consumer Privacy Act (CCPA) Questionnaire
  7. Modern Slavery Questionnaire
  8. Pandemic Questionnaire
  9. Security and Privacy Program Questionnaire
  10. Web Application Security Questionnaire:
  11. Infrastructure Security Questionnaire
  12. Physical and Data Centre Security Questionnaire
  13. COBIT 5 Security Standard Questionnaire
  14. ISA 62443-2-1:2009 Security Standard Questionnaire
  15. ISA 62443-3-3:2013 Security Standard Questionnaire
  16. GDPR Security Standard Questionnaire
  17. CIS Controls 7.1 Security Standard Questionnaire
  18. NIST SP 800-53 Rev. 4 Security Standard Questionnaire
  19. SolarWinds Questionnaire
  20. Kaseya Questionnaire

Click here to see UpGuard’s questionnaire library in a live demo.
  • Implement a Third-Party Risk Management Program (TPRM) - A TPRM will address the complete domain of third-party risk mitigation, including third-party assessments and regulatory requirements tracking. Outsourcing this effort to a TPRM service provider is becoming an increasingly popular decision amongst stakeholders seeking a scalable TPRM model.

    UpGuard’s managed TPRM service, CyberResearch, helps organizations scale their TPRM efforts rapidly and efficiently. Click here to learn more about CyberResearch.
  • Rank third-party vendors by risk criticality - Prioritizing vendors with the most significant potential impact on security postures could significantly reduce the success rates of supply chain cyberattacks.

    UpGuard offers a Vendor Tiering feature to help you rank vendors based on their potential degree of impact on security postures. Click here to learn more about Vendor Tiering.
  • Regularly update and test response plans - Response plans should be regularly exercised with unexpected penetration testing.

    Click here to learn more about incident response planning.
  • Broaden the scope of vendor security information sharing - For the most accurate evaluation of an organization’s risk profile, risk assessments should be customizable. This will accommodate for the unique supply chain security objectives of critical infrastructures and privacy controls.

    With UpGuard’s customer questionnaire builder, you can create questionnaires by either modifying existing assessments or building upon a blank canvas. Click here to learn more about UpGuard’s custom questionnaire builder.
  • Detect and shut down third-party data leaks - Data leaks help cybercriminals gain unauthorized access to vendors in the supply chain.
    UpGuard’s proprietary data leak detection engine discovers overlooked exposures across common hosts of data leak dumps, including dark web forums. Click here to learn more about data leaks.
  • Secure the vendor onboarding process - The vendor procurement process significantly impacts security posture. As a result, the risk profiles of prospective vendors should be heavily scrutinized - an effort that should continue throughout the entire lifecycle of all vendors.

    Click here to learn how OVO secured its vendor onboarding process with UpGuard.

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape