The National Institute of Standards and Technology (NIST) has responded to the increased prevalence of third-party risks by specifying industry standards for securing the supply chain attack surface - the attack surface most vulnerable to third-party risks.

These guidelines consist of a series of security controls stretching across three different publications:

  • NIST SP 800-53 (Revision 5) - Security and Privacy Controls for Information Systems and Organizations.
  • NIST SP 800-161 - Supply Chain Risk Management Practices for Federal Information Systems and Organizations
  • NIST Cybersecurity Framework - Framework for Improving Critical Infrastructure Cybersecurity

There is an overlap between the impact of third-party risk controls across all three NIST publications, so compliance with a single standard would also meet many of the third-party risk requirements of the other two standards.

This post will focus on the NIST SP 800-53 publication and explain how to meet its third-party security requirements.

Learn how UpGuard streamlines the security questionnaire process >

Is NIST 800-53 Compliance Mandatory?

All U.S. federal government agencies must observe the third-party requirements in NIST 800-53 privacy controls for federal information systems and organizations.

However, implementing the NIST 800-53 framework is an option for any entity seeking to improve its supply chain security posture. The benefit of voluntarily complying with 800-53 is that its security controls could also support compliance with other regulations including 23 NY CRR 500.

Learn how to comply with the third-party risk management requirements of 23 NY CRR 500.

Federal Information Security Management Act (FISMA), a United States Federal law outlining a resilient protection framework for government data, requires the following entities to implement NIST 800-53 security controls:

  • Federal government agencies
  • State agencies
  • Federal programs
  • Private sector firms that support, sell or receive services from the U.S government.

Learn how UpGuard simplifies Vendor Risk Management >

NIST SP 800-53: Supply Chain Risk Management (SCRM) Controls

Third-party data breaches are too big of a problem to ignore. The damage caused by the SolarWinds cyberattack against the United States Federal Government demonstrates the devastating potential of unaddressed third-party cybersecurity risk. This incident disrupted information security programs globally, igniting a mass audit of vendor risk assessment designs and incident response policies. Security teams reshuffled their properties to accommodate a new north-star metric - improving the baseline of cybersecurity across all third-party service providers.

The NIST SP 800-53 risk management framework offers organizations a structured approach for maturing their cyber supply chain risk management processes.

The latest revision of the NIST SP 800-53 publication (revision 5) includes a new control group specifically devoted to securing supply chain security risks in cybersecurity programs.

The supply chain risk management control family is comprised of 12 controls:

To support a structured security control selection process, NIST SP 800-53 adopts the Federal Information Processing Standard (FIPS) categorization system. FIPS separates information security systems into three levels of safeguard severity:

  1. Low-impact
  2. Moderate-impact
  3. High-impact

Is NIST 800-53 a Framework or a Standard?

While the terms ‘standard’ and ‘framework’ are commonly used interchangeably, it’s most helpful to consider NIST 800-53 as a framework for improving information security practices.

By considering NIST 800-53 a framework rather than a standard, its implementation becomes an option for a broader range of organizations - not just the entities required by law to implement it.

The following organization types can implement NIST 800-53 into their information technology and risk management programs:

The risk framework for the DoD is also partially based on NIST 800-171.

A NIST 800-53 Third-Party Risk Compliance Framework

Rather than viewing compliance from the perspective of each security measure, a more efficient implementation process is achieved by dividing the effort into five core functions.

  • Identify which assets require protection (prioritize high-risk assets storing sensitive data).
  • Protect - Implement proportional data security measures to protect vulnerable assets.
  • Detect - Detect potential cyber threats seeking to exploit vulnerable assets.
  • Respond - Contain cyber threats to prevent further compromise.
  • Recover - Follow remediation protocols to support business continuity.

This compliance framework can also be applied to the NIST Cybersecurity Framework (NIST CSF) publication.

Complying with NIST 800-53 Third-Party Risk Mitigation Requirements

The following best practices will help you address the five core functions outlined above and, in turn, address the third-party risk mitigation requirement of NIST 800-53.



Learn more about ISO/IEC 27001 >



  • Keep incident response and security plans updated.
  • Periodically test the resilience of incident response plans with red/blue team penetration testing.
  • Establish a reliable cyber incident communication channel to keep stakeholders and regulatory bodies informed.
  • Segment cyber threats to disrupt lateral movement following network compromise.


How UpGuard Can Help

UpGuard helps businesses comply with the third-party risk security standards of NIST 800-53 with a platform addressing the entire Vendor Risk Management lifecycle. By offering a library of questionnaires mapping to NIST Special Publication 800-53 and other popular standards like the GDPR, and combining these point-in-time assessments with continuous attack surface monitoring, UpGuard gives security teams real-time awareness of their entire attack surface and level of NIST 80053 compliance.

Watch the video below to learn how UpGuard streamlines the risk assessment process, due diligence, and vendor risk management strategies.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?