The National Institute of Standards and Technology (NIST) has responded to the increased prevalence of third-party risks by specifying industry standards for securing the supply chain attack surface - the attack surface most vulnerable to third-party risks.
These guidelines consist of a series of security controls stretching across three different publications:
- NIST SP 800-53 (Revision 5) - Security and Privacy Controls for Information Systems and Organizations.
- NIST SP 800-161 - Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- NIST Cybersecurity Framework - Framework for Improving Critical Infrastructure Cybersecurity
There is an overlap between the impact of third-party risk controls across all three NIST publications, so compliance with a single standard would also meet many of the third-party risk requirements of the other two standards.
This post will focus on the NIST SP 800-53 publication and explain how to meet its third-party security requirements.
Learn how UpGuard streamlines the security questionnaire process >
Is NIST 800-53 Compliance Mandatory?
All U.S. federal government agencies must observe the third-party requirements in NIST 800-53 privacy controls for federal information systems and organizations.
However, implementing the NIST 800-53 framework is an option for any entity seeking to improve its supply chain security posture. The benefit of voluntarily complying with 800-53 is that its security controls could also support compliance with other regulations including 23 NY CRR 500.
Learn how to comply with the third-party risk management requirements of 23 NY CRR 500.
Federal Information Security Management Act (FISMA), a United States Federal law outlining a resilient protection framework for government data, requires the following entities to implement NIST 800-53 security controls:
- Federal government agencies
- State agencies
- Federal programs
- Private sector firms that support, sell or receive services from the U.S government.
Learn how UpGuard simplifies Vendor Risk Management >
NIST SP 800-53: Supply Chain Risk Management (SCRM) Controls
Third-party data breaches are too big of a problem to ignore. The damage caused by the SolarWinds cyberattack against the United States Federal Government demonstrates the devastating potential of unaddressed third-party cybersecurity risk. This incident disrupted information security programs globally, igniting a mass audit of vendor risk assessment designs and incident response policies. Security teams reshuffled their properties to accommodate a new north-star metric - improving the baseline of cybersecurity across all third-party service providers.
The NIST SP 800-53 risk management framework offers organizations a structured approach for maturing their cyber supply chain risk management processes.
The latest revision of the NIST SP 800-53 publication (revision 5) includes a new control group specifically devoted to securing supply chain security risks in cybersecurity programs.
The supply chain risk management control family is comprised of 12 controls:
- SR-1: Policy and procedures
- SR-2: Supply chain risk management plan
- SR-3: Supply chain controls and processes
- SR-4: Provenance
- SR-5: Acquisition strategies, tools, and methods
- SR-6: Supplier assessments and reviews
- SR-7: Supply chain operations security
- SR-8: Notification agreements
- SR-9: Tamper resistance and detection
- SR-10: Inspection of systems or components
- SR-11: Component authenticity
- SR-12: Component disposal
To support a structured security control selection process, NIST SP 800-53 adopts the Federal Information Processing Standard (FIPS) categorization system. FIPS separates information security systems into three levels of safeguard severity:
- Low-impact
- Moderate-impact
- High-impact
Is NIST 800-53 a Framework or a Standard?
While the terms ‘standard’ and ‘framework’ are commonly used interchangeably, it’s most helpful to consider NIST 800-53 as a framework for improving information security practices.
By considering NIST 800-53 a framework rather than a standard, its implementation becomes an option for a broader range of organizations - not just the entities required by law to implement it.
The following organization types can implement NIST 800-53 into their information technology and risk management programs:
- Government agencies
- Federal agencies
- The healthcare industry
- Department of Defense (DoD)
The risk framework for the DoD is also partially based on NIST 800-171.
A NIST 800-53 Third-Party Risk Compliance Framework
Rather than viewing compliance from the perspective of each security measure, a more efficient implementation process is achieved by dividing the effort into five core functions.
- Identify which assets require protection (prioritize high-risk assets storing sensitive data).
- Protect - Implement proportional data security measures to protect vulnerable assets.
- Detect - Detect potential cyber threats seeking to exploit vulnerable assets.
- Respond - Contain cyber threats to prevent further compromise.
- Recover - Follow remediation protocols to support business continuity.
This compliance framework can also be applied to the NIST Cybersecurity Framework (NIST CSF) publication.
Complying with NIST 800-53 Third-Party Risk Mitigation Requirements
The following best practices will help you address the five core functions outlined above and, in turn, address the third-party risk mitigation requirement of NIST 800-53.
Identify
- Incorporate access control and data protection security policies in vendor onboarding contracts.
- Organize supply chain vendor by the level of potential security impact.
- Set a standard of complete security risk transparency throughout the lifecycle of vendor relationships (stipulated in onboarding contracts).
- Identify your risk threshold across all assets.
- Identify all the assets in your ecosystem with digital footprinting.
Protect
- Implement a continuous monitoring solution that includes suggested remediation efforts for discovered risks.
- Implement in-person training or webinars to educate employees on identifying phishing and social engineering attacks.
- Enforce appropriate personnel security hygiene across all remote workers.
- Conduct risk assessment throughout system development life cycles.
- Evaluate the risk exposure within your supply chain with security assessments.
- Ensure all third-party vendors remain compliant with regulatory standards, such as HIPAA, PCI DSS, and ISO 27001.
Learn more about ISO/IEC 27001 >
Detect
- Discover and address vulnerabilities that could facilitate cyber threat injection
- Discover and shut down data leaks exposing sensitive information.
- Scan open ports for suspicious activity.
- Secure all open ports.
Respond
- Keep incident response and security plans updated.
- Periodically test the resilience of incident response plans with red/blue team penetration testing.
- Establish a reliable cyber incident communication channel to keep stakeholders and regulatory bodies informed.
- Segment cyber threats to disrupt lateral movement following network compromise.
Recover
- Prioritize critical cyber threats and address them promptly.
- Track the remediation efforts of all security risks.
- Confirm the efficacy of remediation efforts with security ratings.
- Learn how to meet the TPRM requirements of NIST 800-53 >
- Use this checklist to track your compliance with NIST 800-53 >
How UpGuard Can Help
UpGuard helps businesses comply with the third-party risk security standards of NIST 800-53 with a platform addressing the entire Vendor Risk Management lifecycle. By offering a library of questionnaires mapping to NIST Special Publication 800-53 and other popular standards like the GDPR, and combining these point-in-time assessments with continuous attack surface monitoring, UpGuard gives security teams real-time awareness of their entire attack surface and level of NIST 80053 compliance.
Watch the video below to learn how UpGuard streamlines the risk assessment process, due diligence, and vendor risk management strategies.
