NIST released two industry standards to drive security requirements around supply-chain (a.k.a third-party) management. Here’s an overview of the NIST guidelines regarding continuous third-party risk monitoring.

NIST 800-53

NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations sets out guidelines and controls for protecting the government’s sensitive information as well as citizens’ personal information from information security and cyber attacks. It aims to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). The controls (operational, technical, and management safeguards ) and guidelines are evolving in accordance with changes in the information and cyber security landscape as well as shifts in infrastructures, and business models. However, the ultimate goal remains the same: To maintain the integrity, confidentiality, and security of federal information systems.

Currently, the draft publication is released for the fifth revision. Some important changes in this revision are:

  • Integrating privacy controls into the control set,
  • Scoping controls to be used by different interest groups such as systems, engineers, software developers, enterprise architects; and mission/business owners;
  • Integration with different risk management and cybersecurity approaches such as NIST Cyber Security Framework,
  • Incorporating new controls based on threat intelligence

How NIST 800-53 Views Third Parties

NIST views supply chain risk management as a critical organizational function. Organizational assets need to be protected throughout the system development life cycle. A standardized process need to be addressed with respect to supply-chain risk of information systems and system components. Another important process is to educate the acquisition workforce on threats, risk, and required security controls. 

Most of the supply-chain related controls are listed under System and Services Acquisition Policy and Procedures of NIST 800-53 and in particular SA-12 controls. 

Organizations can leverage these controls; 

  • to reduce the likelihood of unauthorized modifications at each stage in the supply chain; and
  • to protect information systems and information-system components, prior to taking delivery of such systems/components. 

NIST Supply-Chain Risk Management in a Nutshell

1.  Employ organization-defined tailored acquisition strategies, for the purchase of the information system and/or  system component

2. Conduct a supplier review prior to entering into a contractual agreement

3.  Employ security safeguards to limit harm from potential adversaries  

4.  Conduct an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

5. Use all-source intelligence analysis (inc. OSINT) of suppliers and potential suppliers of the information system

6. Employ at least one of those: organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing

NIST Cyber Security Framework (CSF)

In April 2018, NIST updated its cybersecurity framework, clarifying and enhancing some of its requirements. An important part of the update is on expanding the Cyber Supply-Chain Risk Management process and additional section Buying Decision.

This framework can be seen as a common language aiming to improve “risk and cybersecurity communications” both internally, a.k.a. from server room to the board room, and across stakeholders. It is an inclusive framework that can be used across many businesses and different domains.  

The framework simplifies the cybersecurity functionalities within an organization by narrowing down to five functionalities; Identify, Protect, Detect, Respond, and Recover, following similar steps to that of NIST SP 800-53. 

Section 3.3, Communicating Cybersecurity Requirements with Stakeholders, explains how to use the framework to manage supply chain risk.

Cyber SCRM addresses both the cybersecurity effect an organization has on external parties and the cybersecurity effect external parties have on an organization.  Organizations can communicate through the Current Profile or Target Profile to express its cybersecurity state/requirements either with their existing or prospective suppliers.

Most of the supplier-related actions are contained in the Identify (Supply-Chain Risk Management) Functionality of the framework. 

Cyber SCRM activities may include: 

•  Determining cybersecurity requirements for suppliers, 

•  Enacting cybersecurity requirements through a formal agreement (e.g., contracts), 

•  Communicating to suppliers how those cybersecurity requirements will be verified and validated, 

•  Verifying that cybersecurity requirements are met through a variety of assessment methodologies, and 

•  Governing and managing the above activities.


Comprehensive Cyber Risk Rating

Black Kite cyber rating can be directly leveraged in the whole supply-chain risk management process that is covered under SA-12 of NIST 800-53 and Supply Chain Risk Management function of NIST CSF.

Compliance Module

Knowing the cybersecurity maturity level by assessing compliance levels is a key component in reducing third-party risks. Black Kite’s standards-based approach makes it easy to estimate and assess the compliance levels of third parties. Black Kite correlates cyber risk findings to industry standards and best practices. The classification allows organizations to measure the compliance level of any company for different regulations and standards including NIST 800-53, ISO27001, PCI-DSS, HIPAA,  GDPR, and Shared Assessments.

Probable Financial Impact Rating based on Open FAIR

Black Kite uses Open FAIRTM model to calculate the probable financial impact if a third-party vendor, partner or supplier experiences a breach. It communicates risks in quantitative, easy-to-understand business terms. Open FAIRTM has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk, meeting the criteria of “..implementing a standardized process to address supply chain risk” of NIST 800-53 SA-12.

A Summary of Black Kite Features to Utilize

The below table summarizes how Black Kite can be utilized to understand the compliance level of third parties for NIST control items.