The National Institute of Standards and Technology (NIST) has responded to the increased prevalence of third-party risks by specifying industry standards for securing the supply chain attack surface - the attack surface most vulnerable to third-party risks.
These guidelines consist of a series of security controls stretching across three different publications:
- NIST SP 800-53 (Revision 5) - Security and Privacy Controls for Information Systems and Organizations.
- NIST SP 800-161 - Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- NIST Cybersecurity Framework - Framework for Improving Critical Infrastructure Cybersecurity
There is an overlap between the impact of third-party risk controls across all three NIST publications, so compliance with a single standard would also meet many of the third-party risk requirements of the other two standards.
This post will focus on the NIST SP 800-53 publication and explain how to meet its third-party security requirements.
Is NIST 800-53 Compliance Mandatory?
All U.S Federal government agencies must observe the third-party requirements in NIST 800-53 privacy controls for federal information systems and organizations.
However, implementing the NIST 800-53 framework is an option for any entity seeking to improve its supply chain security posture. The benefit of voluntarily comply with 800-53 is that it's security controls could also support compliance with other regulation including 23 NY CRR 500.
Learn how to comply with the third-party risk management requirements of 23 NY CRR 500.
Federal Information Security Management Act (FISMA), a United States Federal law outlining a resilient protection framework for government data, requires the following entities to implement NIST 800-53 security controls:
- Federal government agencies
- State agencies
- Federal programs
- Private sector firms that support, sell or receive services from the U.S government.
NIST SP 800-53: Supply Chain Risk Management (SCRM) Controls
Third-party data breaches are too big of a problem to ignore. The damage caused by the SolarWinds cyberattack against the United States Federal Government demonstrates the devastating potential of unaddressed third-party risk. This incident disrupted information security programs globally, igniting a mass audit of risk assessment designs and incident response policies. Security teams reshuffled their properties to accommodate a new north-star metric - improving the baseline of cybersecurity across all third-party service providers.
The NIST SP 800-53 risk management framework offers organizations a structured approach for maturing their supply chain risk management processes.
The latest revision of the NIST SP 800-53 publication (revision 5) includes a new control group specifically devoted to securing supply chain security risks in cybersecurity programs.
The supply chain risk management control family is comprised of 12 controls:
- SR-1: Policy and procedures
- SR-2: Supply chain risk management plan
- SR-3: Supply chain controls and processes
- SR-4: Provenance
- SR-5: Acquisition strategies, tools, and methods
- SR-6: Supplier assessments and reviews
- SR-7: Supply chain operations security
- SR-8: Notification agreements
- SR-9: Tamper resistance and detection
- SR-10: Inspection of systems or components
- SR-11: Component authenticity
- SR-12: Component disposal
To support a structured security control selection process, NIST SP 800-53 adopts the Federal Information Processing Standard (FIPS) categorization system. FIPS separates information security systems into three levels of safeguard severity:
- Low-impact
- Moderate-impact
- High-impact
Is NIST 800-53 a Framework or a Standard?
While the terms ‘standard’ and ‘framework’ are commonly used interchangeably, it’s most helpful to consider NIST 800-53 as a framework for improving information security practices.
By considering NIST 800-53 a framework rather than a standard, its implementation becomes an option for a broader range of organizations - not just the entities required by law to implement it.
The following organization types can implement NIST 800-53 into their information technology and risk management programs:
- Government agencies
- Federal agencies
- The healthcare industry
- Department of Defense (DoD)
The risk framework for the DoD is also partially based on NIST 800-171.
A NIST 800-53 Third-Party Risk Compliance Framework
Rather than viewing compliance from the perspective of each security measure, a more efficient implementation process is achieved by dividing the effort into five core functions.
- Identify which assets require protection (preference those storing sensitive data).
- Protect - Implement proportional security measures to protect vulnerable assets.
- Detect - Detect potential cyber threats seeking to exploit vulnerable assets.
- Respond - Contain cyber threats to prevent further compromise.
- Recover - Follow remediation protocols to support business continuity.
This compliance framework can also be applied to the NIST Cybersecurity Framework (NIST CSF) publication.
Complying with NIST 800-53 Third-Party Risk Mitigation Requirements
The following best practices will help you address the five core functions outlined above and, in turn, address the third-party risk mitigation requirement of NIST 800-53.
Identify
- Incorporate access control and data protection policies in vendor onboarding contracts.
- Organize supply chain vendor by the level of potential security impact.
- Set a standard of complete security risk transparency throughout the lifecycle of vendor relationships (stipulated in onboarding contracts).
- Identify your risk threshold across all assets.
- Identify all the assets in your ecosystem with digital footprinting.
Protect
- Implement an attack surface monitoring solution that includes suggested remediation efforts for discovered risks.
- Implement in-person training or webinars to educate employees on identifying phishing and social engineering attacks.
- Enforce appropriate personnel security hygiene across all remote workers.
- Evaluate the risk exposure within your supply chain with security assessments.
- Ensure all third-party vendors remain compliant with regulatory standards, such as HIPAA, PCI DSS, and ISO 27001.
Detect
- Discover and address vulnerabilities that could facilitate cyber threat injection
- Discover and shut down data leaks exposing sensitive information.
- Scan open ports for suspicious activity.
- Secure all open ports.
Respond
- Keep incident response and security plans updated.
- Periodically test the resilience of incident response plans with red/blue team penetration testing.
- Establish a reliable cyber incident communication channel to keep stakeholders and regulatory bodies informed.
- Segment cyber threats to disrupt lateral movement following network compromise.
Recover
- Prioritize critical cyber threats and address them promptly.
- Track the remediation efforts of all security risks.
- Confirm the efficacy of remediation efforts with security ratings.
Learn how to meet the third-party risk management requirements of NIST 800-53.
Use this checklist to track your compliance with NIST 800-53.
NIST 800-53 Third-Party Risk Compliance with UpGuard
UpGuard helps organizations achieve NIST 800-53 compliance in their third-party risk management framework with the following features:
- Third-party attack surface monitoring to discover security risks putting the supply chain at risk of compromise.
- Vendor Tiering to support the timely remediation of critical security risks.
- A library of customizable vendor risk assessments that track compliance against popular standards and frameworks, including NIST 800-53.
- Data leak detection and remediation services addressing critical exposures before cybercriminals discover them.
