Meeting the Third-Party Risk Requirements of NIST 800-53 in 2023

The National Institute of Standards and Technology (NIST) has responded to the increased prevalence of third-party risks by specifying industry standards for securing the supply chain attack surface - the attack surface most vulnerable to third-party risks.

These guidelines consist of a series of security controls stretching across three different publications:

  • NIST SP 800-53 (Revision 5) - Security and Privacy Controls for Information Systems and Organizations.
  • NIST SP 800-161 - Supply Chain Risk Management Practices for Federal Information Systems and Organizations
  • NIST Cybersecurity Framework - Framework for Improving Critical Infrastructure Cybersecurity

There is an overlap between the impact of third-party risk controls across all three NIST publications, so compliance with a single standard would also meet many of the third-party risk requirements of the other two standards.

This post will focus on the NIST SP 800-53 publication and explain how to meet its third-party security requirements.

Is NIST 800-53 Compliance Mandatory?

All U.S Federal government agencies must observe the third-party requirements in NIST 800-53 privacy controls for federal information systems and organizations.

However, implementing the NIST 800-53 framework is an option for any entity seeking to improve its supply chain security posture. The benefit of voluntarily comply with 800-53 is that it's security controls could also support compliance with other regulation including 23 NY CRR 500.

Learn how to comply with the third-party risk management requirements of 23 NY CRR 500.

Federal Information Security Management Act (FISMA), a United States Federal law outlining a resilient protection framework for government data, requires the following entities to implement NIST 800-53 security controls:

  • Federal government agencies
  • State agencies
  • Federal programs
  • Private sector firms that support, sell or receive services from the U.S government.

NIST SP 800-53: Supply Chain Risk Management (SCRM) Controls

Third-party data breaches are too big of a problem to ignore. The damage caused by the SolarWinds cyberattack against the United States Federal Government demonstrates the devastating potential of unaddressed third-party risk. This incident disrupted information security programs globally, igniting a mass audit of risk assessment designs and incident response policies. Security teams reshuffled their properties to accommodate a new north-star metric - improving the baseline of cybersecurity across all third-party service providers.

The NIST SP 800-53 risk management framework offers organizations a structured approach for maturing their supply chain risk management processes.

The latest revision of the NIST SP 800-53 publication (revision 5) includes a new control group specifically devoted to securing supply chain security risks in cybersecurity programs.

The supply chain risk management control family is comprised of 12 controls:

To support a structured security control selection process, NIST SP 800-53 adopts the Federal Information Processing Standard (FIPS) categorization system. FIPS separates information security systems into three levels of safeguard severity:

  1. Low-impact
  2. Moderate-impact
  3. High-impact

Is NIST 800-53 a Framework or a Standard?

While the terms ‘standard’ and ‘framework’ are commonly used interchangeably, it’s most helpful to consider NIST 800-53 as a framework for improving information security practices.

By considering NIST 800-53 a framework rather than a standard, its implementation becomes an option for a broader range of organizations - not just the entities required by law to implement it.

The following organization types can implement NIST 800-53 into their information technology and risk management programs:

The risk framework for the DoD is also partially based on NIST 800-171.

A NIST 800-53 Third-Party Risk Compliance Framework

Rather than viewing compliance from the perspective of each security measure, a more efficient implementation process is achieved by dividing the effort into five core functions.

  • Identify which assets require protection (preference those storing sensitive data).
  • Protect - Implement proportional security measures to protect vulnerable assets.
  • Detect - Detect potential cyber threats seeking to exploit vulnerable assets.
  • Respond - Contain cyber threats to prevent further compromise.
  • Recover - Follow remediation protocols to support business continuity.

This compliance framework can also be applied to the NIST Cybersecurity Framework (NIST CSF) publication.

Complying with NIST 800-53 Third-Party Risk Mitigation Requirements

The following best practices will help you address the five core functions outlined above and, in turn, address the third-party risk mitigation requirement of NIST 800-53.





  • Keep incident response and security plans updated.
  • Periodically test the resilience of incident response plans with red/blue team penetration testing.
  • Establish a reliable cyber incident communication channel to keep stakeholders and regulatory bodies informed.
  • Segment cyber threats to disrupt lateral movement following network compromise.


Learn how to meet the third-party risk management requirements of NIST 800-53.

Use this checklist to track your compliance with NIST 800-53.

NIST 800-53 Third-Party Risk Compliance with UpGuard

UpGuard helps organizations achieve NIST 800-53 compliance in their third-party risk management framework with the following features:

  • Third-party attack surface monitoring to discover security risks putting the supply chain at risk of compromise.
  • Vendor Tiering to support the timely remediation of critical security risks.
  • A library of customizable vendor risk assessments that track compliance against popular standards and frameworks, including NIST 800-53.
  • Data leak detection and remediation services addressing critical exposures before cybercriminals discover them.

Click here to try UpGuard for free for 7 days.

Ready to see
UpGuard in action?