Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Third-Party Risk Management Requirements of NIST Cybersecurity Framework 2.0

5 min read
Featured Image

In 2014, the National Institute of Standards and Technology (NIST) released its Cybersecurity Framework (CSF) as a guide for organizations in critical infrastructure. Ten years later, CSF 2.0 has been released and is intended for a much broader audience. Organizations in any industry can use the new framework as a guideline for improving their cybersecurity programs. In addition to this broader scope, CSF 2.0 dedicates more attention to managing supply chain cybersecurity risk, which is a part of third-party cybersecurity risk.

This blog covers some of the main elements of the framework, along with practices your organization can use to meet these standards. We’ll also give an overview of the new section on Cybersecurity Supply Chain Risk Management in NIST CSF 2.0. Many of the objectives listed in this section can be aligned with current third-party risk management best practices.

Note: Text from the guidance is noted in italics.

NIST Cybersecurity Framework 2.0 Core: Proactive and Reactive Functions for Your Organization and Its Suppliers

It’s important to remember that the framework isn’t prescriptive because every organization will require a unique strategy. CSF 2.0 simply describes what desirable outcomes an organization can aspire to achieve and provides guidance and suggestions on certain practices that may be used to meet those outcomes. The CSF Core describes six functions in which these practices may be categorized.

Here’s a brief description of each function with an example of a practice that can meet the outcome:  

Proactive Cybersecurity Functions

Managing cybersecurity risk involves many proactive functions that are designed to prevent incidents from occurring. These functions should be continuous to ensure an organization’s cybersecurity risk is properly identified and managed: 

  1. GovernThe organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. 

    EXAMPLE: Your organization has a documented policy that describes the roles, responsibilities, and overall strategy of its cybersecurity risk management program.
  2. IdentifyThe organization’s current cybersecurity risks are understood. 

    EXAMPLE: Your organization engages with qualified subject matter experts (SMEs) who can assess internal and external cybersecurity risks and advise on areas of improvement.
  3. ProtectSafeguards to manage the organization’s cybersecurity risks are used. 

    EXAMPLE: Your organization practices effective cyber hygiene such as installing antivirus software, implementing firewalls, and employing encryption tools. 
  4. DetectPossible cybersecurity attacks and compromises are found and analyzed.

    EXAMPLE: Your organization performs regular pentation and vulnerability testing to identify and assess potential weaknesses for remediation

Reactive Cybersecurity Functions

Cybersecurity incidents are not 100% avoidable, so it’s essential to understand how your organization will respond to an event like a data breach or ransomware attack. The guidance states that actions that support RESPOND and RECOVER should be ready at all times and happen when cybersecurity incidents occur. The following functions can be considered reactive within your cybersecurity program:

  1. RespondActions regarding a detected cybersecurity incident are taken. 

    Your organization develops, tests, and maintains an incident response plan which includes details on analysis, mitigation, and reporting.
  2. RecoverAssets and operations affected by a cybersecurity incident are restored.

    EXAMPLE: Your organization develops, tests, and maintains a disaster recovery plan which includes details on recovery time objectives (RTOs), recovery point objectives (RPOs), and maximum allowable downtime.

third-party risk management requirements nist cybersecurity framework

Managing Cybersecurity Risk With Your Third Parties and Suppliers According to NIST CSF 2.0 

Within the govern function, NIST outlines several outcomes related to Cybersecurity Supply Chain Risk Management. For the purpose of this blog, we’ll use the term “third party” in place of suppliers. 

Here are some of the key principles to follow: 

  • Criticality – Organizations should prioritize their third parties based on the critical nature of those relationships. Critical third parties are those that have the biggest impact on your organization or customers. Here are 3 questions to ask to help determine criticality:
    1. If we abruptly lost this third party, would there be a significant disruption to our operations?
    2. Would the sudden loss or breach of this third party impact our customers?
    3. If the time to restore service required more than 24 hours, would there be a negative impact on our organization?
  • Pre-contract due diligence – Organizations should reduce cybersecurity risks by planning and performing due diligence before signing the third-party contract. In general, it’s important to collect and review information about the third party’s security testing, data security standards and policies, incident detection and response plans, and employee, contractor, and vendor management. 
  • Contract management – Third-party contracts should include requirements about how to address cybersecurity risk. This might include provisions such as cybersecurity insurance, data breach notification requirements, or a right to audit clause.
  • Incident planning – Relevant third parties should be integrated into an organization’s incident response plan. If your organization suffers a cybersecurity incident due to the exploitation of a system managed by a Managed System Provider (MSP), having a predefined plan of action would decrease response times and ensure expectations are met. Another common scenario is the breach of a third party such as a file transfer system, where the same benefits of having a predefined plan would be important.  
  • Ongoing monitoring – A third party’s cybersecurity risk and performance should be monitored throughout the relationship. New cyber threats can emerge and a third party’s controls can become ineffective, so it’s essential to monitor and assess these risks on an ongoing basis. 
  • Exit planning – An organization’s cybersecurity risk management plan should include provisions for activities that need to occur after a third-party relationship ends. This typically includes documenting the third party’s responsibilities around data destruction or return and withdrawing access to your network.

This updated framework offers a lot of guidance on the criteria for a rigorous cybersecurity program. By following this framework and using other resources provided by NIST, your organization can be better equipped to manage cybersecurity risks that exist internally and within your third parties.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo