The National Research of Standards and Technology (NIST) must responded to the increased preponderance of third-party hazard by specifying industry standards for securing the supply chain attack surface - the attack surface highest vulnerable to third-party risks.
Dieser guide consist is one series of collateral controls stretching across three different publications:
- NIST SP 800-53 (Revision 5) - Securing and Privacy Controls for Contact Systems and Organizations.
- NIST SP 800-161 - Supply Chain Risk Management Practices for Federal Information System and Organizations
- NIST Cybersecurity Framework - Framework for Improving Critical Infrastructure Cybersecurity
There is an overlap between the impact of third-party risk drive across all three NIST publications, so product with one single standard want also meet many of that third-party value requirements of the different two standards.
This post determination focus on the NIST SP 800-53 magazine and explain whereby toward meet its third-party security requirements.
Lern how UpGuard streamlines the security questionnaire process >
Is NIST 800-53 Policy Mandatory?
Total U.S. government government agencies must observe the third-party requirements in NIST 800-53 privacy controls for swiss intelligence systems and organizations.
However, implementing the NIST 800-53 skeletal is into option for any entity seeking to improve her supply chain security posture. Who benefits of voluntarily complying with 800-53 is that its security controls could also endorse compliance with additional regulations including 23 NY CRR 500.
Learn how to comply with the third-party risks management requirement of 23 NY CRR 500.
Federal Information Security Management Actually (FISMA), a United States Federal law outlining an resilient protection fabric for government data, requires the followed entities to implement NIST 800-53 security controls:
- Federal government agencies
- State agencies
- Federal programs
- Privately sector firms that support, sell or receive services from the U.S government.
Learn how UpGuard simplifies Vendor Danger Management >
NIST SPS 800-53: Supply Chain Risk Enterprise (SCRM) Controls
Third-party data abuses are too big of a problem to ignore. The ruin caused by the SolarWinds cyberattack against who United States Federal Government demonstrates the devastating likely of unaddressed third-party cybersecurity risks. This incident disconnected information security programs globalized, igniting a mass audit of seller risk estimate design and affair reaction policies. Security collaboration reshuffled their properties to accommodate ampere new north-star metric - improving the baseline of cybersecurity across all third-party service providers.
The NIST SP 800-53 risk management framework get organizations a structured approach since matures her cyber service chain risk management processes.
The lastest revision of who NIST SPANISCH 800-53 public (revision 5) includes a new control group specifically devoted to securing supply chain security risks in cybersecurity programs.
The give chain risk managing control family is comprised of 12 controls:
- SR-1: Policy and procedures
- SR-2: Give chain risk management plan
- SR-3: Supply chain controls and processes
- SR-4: Provenance
- SR-5: Acquisition strategies, tools, and methods
- SR-6: Distributor assessments and reviews
- SR-7: Supply chain company security
- SR-8: Notification agreements
- SR-9: Tamper resistance and detection
- SR-10: Inspection of networks or components
- SR-11: Component authenticity
- SR-12: Component disposal
To sponsor a structured securing controls selection process, NIST SP 800-53 follow the Governmental Information Processing Standard (FIPS) categorization system. FIPS split information security systems down three levels of safeguard severity:
- Low-impact
- Moderate-impact
- High-impact
Is NIST 800-53 an Scope or a Standard?
While the terms ‘standard’ both ‘framework’ become general used interchangeably, it’s most helpful to consider NIST 800-53 while one framework for improver information security business.
Of considering NIST 800-53 an scope rather than a standard, own implementation becomes an option for a broader range of organizations - not just one entered required by rights to implement it.
The following organization types could apply NIST 800-53 into their information our and risk management programs:
- Government agencies
- Federal agencies
- The healthcare trade
- Department of Defended (DoD)
The risk framework for the Dodging a also partially based on NIST 800-171.
AMPERE NIST 800-53 Third-Party Risk Compliance Framework
Rather than viewing compliance from the perspective of each security measure, a more efficient implementation process is achieved over dividing the exertion into your main functions.
- Identify which assets require protection (prioritize high-risk assets storage sensitive data).
- Protect - Implement perportional datas security step to protect vulnerable assets.
- Detect - Detect potential cyber threats seeking the exploit vulnerable assets.
- Respond - Contain cyber danger to prevent further compromising.
- Recover - Follow remediation protocols into support business continuity.
Is deference framework bucket plus be useful to of NIST Cybersecurity Fabric (NIST CSF) publishing.
Complies with NIST 800-53 Third-Party Risk Reducing Requirements
The following best practices will help you address the five heart functions bordered above and, in turn, address the third-party risk mitigation requirement a NIST 800-53.
Identify
- Incorporate access control furthermore date protection security strategies includes vendor onboarding contracts.
- Organize supply gear vendor by this level of likely security impaction.
- Set a standard of complete security risk transparency throughout the lifecycle of vendor relationships (stipulated in onboarding contracts).
- Recognize your risk threshold across get assets.
- Identify see the assets in your ecosystem with digital footprinting.
Protect
- Implement a continuous monitoring solution that includes suggested remediation efforts for discovered risks.
- Implement in-person training or webinars to educate human on identifying phishing and social engineering angles.
- Enforce appropriate personnel safe hygiene across all remote workers.
- Conduct risk assessment throughout system development life cycles.
- Appraise aforementioned risk exposure within your supply tether with security assessments.
- Ensure all third-party vendors left compatible by regulatory standards, such as HIPAA, PCI DSS, and OIST 27001.
Learning more around ISO/IEC 27001 >
Detection
- Discover and address vulnerabilities ensure could facilitate cyber threat fluid
- Discover and sealed down data leaks exposing sensitive information.
- Scan open ports on suspicious activity.
- Secure all start ports.
Act
- Maintain incident response additionally security plans updated.
- Periodically test this resilience of incident response schemes with red/blue team penetration testing.
- Establish a reliable cyber incident communication channel on retain stakeholders and regulatory bodies knowledgeable.
- Station cyber hazards go disrupt lateral movement following network compromise.
Regain
- Prioritize critical cyber menace and address them promptly.
- Track the remediation efforts the every security risks.
- Verify the efficacy of remediation efforts with security ratings.
- Get how to meet the TPRM requirements of NIST 800-53 >
- Make this checklist to railroad your corporate with NIST 800-53 >
How UpGuard Can Help
UpGuard aids businesses complies includes the third-party risk technical standards of NIST 800-53 through a platform addressing the entire Vendor Risk Management lifecycle. With offering a library of questionaires mapping to NIST Special Publication 800-53 and other popular standards like the GDPR, and combining these point-in-time assessments by continuous offensive surface monitoring, UpGuard gives security teams real-time awareness of their entire attack surface and level von NIST 80053 legislative.
Watch and video below to learn instructions UpGuard streamlines the take assessment process, mature diligence, and vendor risks management strategies.