Meeting the Third-Party Risk Standards of NIST 800-53

Organizations of all sizes and industries continue to be at risk of sophisticated cybersecurity threats. Supply chain attacks in recent years have brought even more attention to the importance of third-party risk management (TPRM). The National Institute of Standards and Technology (NIST) periodically releases new and updated standards and frameworks to address these threats and instruct government agencies on how to protect against evolving third-party risks.

These publications can be valuable resources to enhance security practices, even if your organization isn’t a federal agency, as many private-sector organizations use NIST control frameworks as inspiration and benchmarking for their own control environments.

NIST Special Publication 800-53 Revision 5 (NIST 800-53) is a comprehensive publication titled Security and Privacy Controls for Information Systems and Organizations. At nearly 500 pages, and on its fifth revision since 2005, NIST 800-53 covers a wide range of control areas that government agencies and contractors may need to follow depending on the risks posed. 

This blog will focus on the section covering supply chain risk management and offer suggestions on how your organization can comply.

Note: Excerpts from the publication are noted in italics.

12 Supply Chain Control and Third-Party Risk Requirements of NIST 800-53 

Security and privacy controls are essentially the actions an organization must perform to ensure compliance with NIST standards.

NIST 800-53 outlines 12 categories of controls for supply chain risk management:  

1. Policy and procedures – These should be developed and documented by a designated individual in the organization, and in collaboration with security and privacy. The policy and procedures should address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. These documents should be reviewed and updated as needed. 
2. Supply chain risk management plan – This should be developed to include the organization’s supply chain risk tolerance and acceptable supply chain risk mitigation strategies or controls. This plan should also address a process for consistently evaluating and monitoring supply chain risk. Organizations may also want to consider enhancing this plan by establishing a supply chain risk management team, which can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.
3. Supply chain controls and processes – Organizations should develop a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes. Fourth parties are also referenced within this section as “subcontractors.” Organizations should make sure that any controls listed in their third-party contracts are also included in the contracts of subcontractors. This can be interpreted as ensuring your fourth parties are following the same security standards as your third parties.
4. Provenance – Information systems and data within the supply chain can change, so organizations are expected to document and monitor the origin, development, ownership, location, and changes to a system or system component and associated data. This allows organizations to understand and manage risk and reduce their susceptibility to adverse events.
5. Acquisition strategies, tools, and methods – These should be employed to protect against, identify, and mitigate supply chain risks. One of the control enhancements suggests mitigating concentration risk, stating the use of multiple suppliers throughout the supply chain for the identified critical components. Another enhancement states that an organization should evaluate a system before making a selection, acceptance, modification, or update. 
6. Supplier assessments and reviews – This control describes how an organization should assess a supplier’s or third party’s risk by evaluating the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. This essentially means that an organization should assess how well its vendors are managing their own third parties. Organizations should use these assessments to inform organizational risk management activities and decisions.
7. Supply chain operations security – Organizations should protect supply chain-related information for the system, which includes processes for identifying critical information and implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level. Safeguards and countermeasures can refer to many different strategies, so it’s best to engage a qualified subject matter expert (SME) who can advise on best practices for your organization. 
8. Notification agreements – It’s essential to create agreements and procedures with entities involved in the supply chain, which may include early notification of compromises and potential compromises. Incorporating data breach notification requirements in your vendor contracts would be an effective strategy to comply with this control.
9. Tamper resistance and detection – A tamper protection program should be implemented on systems to ensure they’re safe from external threats that are attempting to disable or change certain security settings. The control enhancement suggests using obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries.
10. Inspection of systems or components – Organizations should conduct system inspections to detect any tampering that may occur in systems and system components removed from organization-controlled areas.
11. Component authenticity – Anti-counterfeit policies and procedures should be implemented to ensure a system’s components are authentic. Organizations should have processes in place to provide a level of protection against the introduction of malicious code that may occur from a vendor’s counterfeit components. 
12. Component disposal – Third parties that have access to an organization’s data or documentation should be obligated to dispose of these materials according to certain techniques and methods. This ensures the data is protected from compromise and helps to prevent such components from entering the gray market.

Third-Party Risk Management Best Practices for NIST 800-53 Compliance 

Many of these controls can be highly technical and will likely require the knowledge of subject matter experts (SMEs) to implement properly. However, there are best practices that can be performed in your third-party risk management program, regardless of your technical expertise: 

• Review your governance documents – Your third-party risk management policy should be reviewed at least annually and approved by the board or senior management. Consider taking another look at your policy, program document, and procedures to identify any gaps that may exist in your current privacy or security practices. As a reminder:
  
  • A third-party risk management policy outlines the rules and requirements of your third-party risk management program.
  • A program document sets out the processes, workflows, timing, and stakeholder activities necessary to execute the policy’s requirements. 
  • Procedures are the step-by-step instructions for the processes outlined in the program document. 
• Strengthen your ongoing activities – Make sure your third-party risk management program includes appropriate ongoing activities such as periodic risk re-assessments and risk and performance monitoring. Vendor risk alert and monitoring services can be a valuable tool that provides specific insight into certain risk areas like cybersecurity or privacy. 
• Require external audits – It’s important to review external audits – like a SOC report – that have been performed on the vendor’s control environment. These audit findings will give you an unbiased opinion on your vendor’s cybersecurity posture and can identify any gaps or weaknesses that need to be addressed. 
• Identify your critical fourth parties – Although your organization has no direct contract with your fourth parties, it’s still important to have an awareness of these relationships so you have a better understanding of the broader risk landscape. Focus on your critical fourth parties, which are essentially the third parties of your critical vendors. These can be identified by reviewing your third party’s SOC 2 Type II report. This report will disclose the third party’s “subservice organizations,” which are your fourth parties.

Organizations looking to enhance their cybersecurity practices should consider using the security and privacy controls outlined in NIST 800-53. These controls will help protect against the cybersecurity threats that are targeting your organization and third parties.