Meeting the Third-Party Risk Requirements of NIST 800-53 in 2022

The National Institute of Standards and Technology (NIST) has responded to the increased prevalence of third-party risks by specifying industry standards for securing the supply chain attack surface - the attack surface most vulnerable to third-party risks.

These guidelines consist of a series of security controls stretching across three different publications:

  • NIST SP 800-53 (Revision 5) - Security and Privacy Controls for Information Systems and Organizations.
  • NIST SP 800-161 - Supply Chain Risk Management Practices for Federal Information Systems and Organizations
  • NIST Cybersecurity Framework - Framework for Improving Critical Infrastructure Cybersecurity

There is an overlap between the impact of third-party risk controls across all three NIST publications, so compliance with a single standard would also meet many of the third-party risk requirements of the other two standards.

This post will focus on the NIST SP 800-53 publication and explain how to meet its third-party security requirements.

Is NIST 800-53 Compliance Mandatory?

All U.S Federal government agencies must observe the third-party requirements in NIST 800-53 privacy controls for federal information systems and organizations.

However, implementing the NIST 800-53 framework is an option for any entity seeking to improve its supply chain security posture. The benefit of voluntarily comply with 800-53 is that it's security controls could also support compliance with other regulation including 23 NY CRR 500.

Learn how to comply with the third-party risk management requirements of 23 NY CRR 500.

Federal Information Security Management Act (FISMA), a United States Federal law outlining a resilient protection framework for government data, requires the following entities to implement NIST 800-53 security controls:

  • Federal government agencies
  • State agencies
  • Federal programs
  • Private sector firms that support, sell or receive services from the U.S government.

NIST SP 800-53: Supply Chain Risk Management (SCRM) Controls

Third-party data breaches are too big of a problem to ignore. The damage caused by the SolarWinds cyberattack against the United States Federal Government demonstrates the devastating potential of unaddressed third-party risk. This incident disrupted information security programs globally, igniting a mass audit of risk assessment designs and incident response policies. Security teams reshuffled their properties to accommodate a new north-star metric - improving the baseline of cybersecurity across all third-party service providers.

The NIST SP 800-53 risk management framework offers organizations a structured approach for maturing their supply chain risk management processes.

The latest revision of the NIST SP 800-53 publication (revision 5) includes a new control group specifically devoted to securing supply chain security risks in cybersecurity programs.

The supply chain risk management control family is comprised of 12 controls:

To support a structured security control selection process, NIST SP 800-53 adopts the Federal Information Processing Standard (FIPS) categorization system. FIPS separates information security systems into three levels of safeguard severity:

  1. Low-impact
  2. Moderate-impact
  3. High-impact

Is NIST 800-53 a Framework or a Standard?

While the terms ‘standard’ and ‘framework’ are commonly used interchangeably, it’s most helpful to consider NIST 800-53 as a framework for improving information security practices.

By considering NIST 800-53 a framework rather than a standard, its implementation becomes an option for a broader range of organizations - not just the entities required by law to implement it.

The following organization types can implement NIST 800-53 into their information technology and risk management programs:

The risk framework for the DoD is also partially based on NIST 800-171.

A NIST 800-53 Third-Party Risk Compliance Framework

Rather than viewing compliance from the perspective of each security measure, a more efficient implementation process is achieved by dividing the effort into five core functions.

  • Identify which assets require protection (preference those storing sensitive data).
  • Protect - Implement proportional security measures to protect vulnerable assets.
  • Detect - Detect potential cyber threats seeking to exploit vulnerable assets.
  • Respond - Contain cyber threats to prevent further compromise.
  • Recover - Follow remediation protocols to support business continuity.

This compliance framework can also be applied to the NIST Cybersecurity Framework (NIST CSF) publication.

Complying with NIST 800-53 Third-Party Risk Mitigation Requirements

The following best practices will help you address the five core functions outlined above and, in turn, address the third-party risk mitigation requirement of NIST 800-53.





  • Keep incident response and security plans updated.
  • Periodically test the resilience of incident response plans with red/blue team penetration testing.
  • Establish a reliable cyber incident communication channel to keep stakeholders and regulatory bodies informed.
  • Segment cyber threats to disrupt lateral movement following network compromise.


Learn how to meet the third-party risk management requirements of NIST 800-53.

Use this checklist to track your compliance with NIST 800-53.

NIST 800-53 Third-Party Risk Compliance with UpGuard

UpGuard helps organizations achieve NIST 800-53 compliance in their third-party risk management framework with the following features:

  • Third-party attack surface monitoring to discover security risks putting the supply chain at risk of compromise.
  • Vendor Tiering to support the timely remediation of critical security risks.
  • A library of customizable vendor risk assessments that track compliance against popular standards and frameworks, including NIST 800-53.
  • Data leak detection and remediation services addressing critical exposures before cybercriminals discover them.

Click here to try UpGuard for free for 7 days.

Free eBook

NIST Compliance Guide

Learn how the NIST guidelines can help your organization improve its security posture, develop better security controls, and maintain regulatory compliance.
UpGuard logo in white
NIST Compliance Guide
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating