Third-Party Risk Management Requirements of NIST Cybersecurity Framework 2.0

In 2014, the National Institute of Standards and Technology (NIST) released its Cybersecurity Framework (CSF) as a guide for organizations in critical infrastructure. Ten years later, CSF 2.0 has been released and is intended for a much broader audience. Organizations in any industry can use the new framework as a guideline for improving their cybersecurity programs. In addition to this broader scope, CSF 2.0 dedicates more attention to managing supply chain cybersecurity risk, which is a part of third-party cybersecurity risk.

This blog covers some of the main elements of the framework, along with practices your organization can use to meet these standards. We’ll also give an overview of the new section on Cybersecurity Supply Chain Risk Management in NIST CSF 2.0. Many of the objectives listed in this section can be aligned with current third-party risk management best practices.

Note: Text from the guidance is noted in italics.

NIST Cybersecurity Framework 2.0 Core: Proactive and Reactive Functions for Your Organization and Its Suppliers

It’s important to remember that the framework isn’t prescriptive because every organization will require a unique strategy. CSF 2.0 simply describes what desirable outcomes an organization can aspire to achieve and provides guidance and suggestions on certain practices that may be used to meet those outcomes. The CSF Core describes six functions in which these practices may be categorized.

Here’s a brief description of each function with an example of a practice that can meet the outcome:  

Proactive Cybersecurity Functions

Managing cybersecurity risk involves many proactive functions that are designed to prevent incidents from occurring. These functions should be continuous to ensure an organization’s cybersecurity risk is properly identified and managed: 

1. Govern – The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. 
   
   EXAMPLE: Your organization has a documented policy that describes the roles, responsibilities, and overall strategy of its cybersecurity risk management program.
2. Identify – The organization’s current cybersecurity risks are understood. 
   
   EXAMPLE: Your organization engages with qualified subject matter experts (SMEs) who can assess internal and external cybersecurity risks and advise on areas of improvement.
3. Protect – Safeguards to manage the organization’s cybersecurity risks are used. 
   
   EXAMPLE: Your organization practices effective cyber hygiene such as installing antivirus software, implementing firewalls, and employing encryption tools. 
4. Detect – Possible cybersecurity attacks and compromises are found and analyzed.
   
   EXAMPLE: Your organization performs regular pentation and vulnerability testing to identify and assess potential weaknesses for remediation

Reactive Cybersecurity Functions

Cybersecurity incidents are not 100% avoidable, so it’s essential to understand how your organization will respond to an event like a data breach or ransomware attack. The guidance states that actions that support RESPOND and RECOVER should be ready at all times and happen when cybersecurity incidents occur. The following functions can be considered reactive within your cybersecurity program:

1. Respond – Actions regarding a detected cybersecurity incident are taken. 
   
   EXAMPLE: Your organization develops, tests, and maintains an incident response plan which includes details on analysis, mitigation, and reporting.
2. Recover – Assets and operations affected by a cybersecurity incident are restored.
   
   EXAMPLE: Your organization develops, tests, and maintains a disaster recovery plan which includes details on recovery time objectives (RTOs), recovery point objectives (RPOs), and maximum allowable downtime.

Managing Cybersecurity Risk With Your Third Parties and Suppliers According to NIST CSF 2.0 

Within the govern function, NIST outlines several outcomes related to Cybersecurity Supply Chain Risk Management. For the purpose of this blog, we’ll use the term “third party” in place of suppliers. 

Here are some of the key principles to follow: 

• Criticality – Organizations should prioritize their third parties based on the critical nature of those relationships. Critical third parties are those that have the biggest impact on your organization or customers. Here are 3 questions to ask to help determine criticality:
  
  1. If we abruptly lost this third party, would there be a significant disruption to our operations?
  2. Would the sudden loss or breach of this third party impact our customers?
  3. If the time to restore service required more than 24 hours, would there be a negative impact on our organization?
• Pre-contract due diligence – Organizations should reduce cybersecurity risks by planning and performing due diligence before signing the third-party contract. In general, it’s important to collect and review information about the third party’s security testing, data security standards and policies, incident detection and response plans, and employee, contractor, and vendor management. 
• Contract management – Third-party contracts should include requirements about how to address cybersecurity risk. This might include provisions such as cybersecurity insurance, data breach notification requirements, or a right to audit clause.
• Incident planning – Relevant third parties should be integrated into an organization’s incident response plan. If your organization suffers a cybersecurity incident due to the exploitation of a system managed by a Managed System Provider (MSP), having a predefined plan of action would decrease response times and ensure expectations are met. Another common scenario is the breach of a third party such as a file transfer system, where the same benefits of having a predefined plan would be important.  
• Ongoing monitoring – A third party’s cybersecurity risk and performance should be monitored throughout the relationship. New cyber threats can emerge and a third party’s controls can become ineffective, so it’s essential to monitor and assess these risks on an ongoing basis. 
• Exit planning – An organization’s cybersecurity risk management plan should include provisions for activities that need to occur after a third-party relationship ends. This typically includes documenting the third party’s responsibilities around data destruction or return and withdrawing access to your network.

This updated framework offers a lot of guidance on the criteria for a rigorous cybersecurity program. By following this framework and using other resources provided by NIST, your organization can be better equipped to manage cybersecurity risks that exist internally and within your third parties.