The Nationwide Institute of Requirements and Know-how (NIST) has responded to the elevated prevalence of third-party dangers by specifying trade requirements for securing the availability chain assault floor – the assault floor most weak to third-party dangers.
These pointers encompass a collection of safety controls stretching throughout three totally different publications:
NIST SP 800-53 (Revision 5) – Safety and Privateness Controls for Data Techniques and Organizations.NIST SP 800-161 – Provide Chain Threat Administration Practices for Federal Data Techniques and OrganizationsNIST Cybersecurity Framework – Framework for Enhancing Important Infrastructure Cybersecurity
There’s an overlap between the impression of third-party threat controls throughout all three NIST publications, so compliance with a single normal would additionally meet most of the third-party threat necessities of the opposite two requirements.
This put up will concentrate on the NIST SP 800-53 publication and clarify easy methods to meet its third-party safety necessities.
Find out how Cybersecurity streamlines the safety questionnaire course of >
Is NIST 800-53 Compliance Necessary?
All U.S. federal authorities businesses should observe the third-party necessities in NIST 800-53 privateness controls for federal info techniques and organizations.
Nonetheless, implementing the NIST 800-53 framework is an choice for any entity searching for to enhance its provide chain safety posture. The advantage of voluntarily complying with 800-53 is that its safety controls may additionally help compliance with different laws together with 23 NY CRR 500.
Federal Data Safety Administration Act (FISMA), a United States Federal regulation outlining a resilient safety framework for presidency knowledge, requires the next entities to implement NIST 800-53 safety controls:
Federal authorities agenciesState agenciesFederal programsPrivate sector companies that help, promote or obtain companies from the U.S authorities.
You’ll be able to monitor how your distributors align with NIST 800-53 with this free NIST 800-53 threat evaluation template.
NIST SP 800-53: Provide Chain Threat Administration (SCRM) Controls
Third-party knowledge breaches are too huge of an issue to disregard. The injury brought on by the SolarWinds cyberattack towards the USA Federal Authorities demonstrates the devastating potential of unaddressed third-party cybersecurity threat. This incident disrupted info safety applications globally, igniting a mass audit of vendor threat evaluation designs and incident response insurance policies. Safety groups reshuffled their properties to accommodate a brand new north-star metric – bettering the baseline of cybersecurity throughout all third-party service suppliers.
The NIST SP 800-53 threat administration framework affords organizations a structured strategy for maturing their cyber provide chain threat administration processes.
The most recent revision of the NIST SP 800-53 publication (revision 5) features a new management group particularly dedicated to securing provide chain safety dangers in cybersecurity applications.
The provision chain threat administration management household is comprised of 12 controls:
To help a structured safety management choice course of, NIST SP 800-53 adopts the Federal Data Processing Commonplace (FIPS) categorization system. FIPS separates info safety techniques into three ranges of safeguard severity:
Low-impactModerate-impactHigh-impactIs NIST 800-53 a Framework or a Commonplace?
Whereas the phrases ‘standard’ and ‘framework’ are generally used interchangeably, it’s most useful to think about NIST 800-53 as a framework for bettering info safety practices.
By contemplating NIST 800-53 a framework fairly than a normal, its implementation turns into an choice for a broader vary of organizations – not simply the entities required by regulation to implement it.
The next group varieties can implement NIST 800-53 into their info expertise and threat administration applications:
The danger framework for the DoD can also be partially based mostly on NIST 800-171.
Find out how Cybersecurity simplifies Vendor Threat Administration >
A NIST 800-53 Third-Social gathering Threat Compliance Framework
Moderately than viewing compliance from the attitude of every safety measure, a extra environment friendly implementation course of is achieved by dividing the trouble into 5 core features.
Establish which belongings require safety (prioritize high-risk belongings storing delicate knowledge).Shield – Implement proportional knowledge safety measures to guard weak belongings.Detect – Detect potential cyber threats searching for to take advantage of weak belongings.Reply – Comprise cyber threats to stop additional compromise.Get better – Comply with remediation protocols to help enterprise continuity.
This compliance framework may also be utilized to the NIST Cybersecurity Framework (NIST CSF) publication.
Complying with NIST 800-53 Third-Social gathering Threat Mitigation Necessities
The next greatest practices will assist you tackle the 5 core features outlined above and, in flip, tackle the third-party threat mitigation requirement of NIST 800-53.
IdentifyProtect
Be taught extra about ISO/IEC 27001 >
DetectRespondKeep incident response and safety plans up to date.Periodically check the resilience of incident response plans with crimson/blue group penetration testing.Set up a dependable cyber incident communication channel to maintain stakeholders and regulatory our bodies knowledgeable.Section cyber threats to disrupt lateral motion following community compromise.RecoverHow Cybersecurity Can Assist
Cybersecurity helps companies adjust to the third-party threat safety requirements of NIST 800-53 with a platform addressing your complete Vendor Threat Administration lifecycle. By providing a library of questionnaires mapping to NIST Particular Publication 800-53 and different well-liked requirements just like the GDPR, and mixing these point-in-time assessments with steady assault floor monitoring, Cybersecurity provides safety groups real-time consciousness of their complete assault floor and degree of NIST 80053 compliance.
Watch the video beneath to learn the way Cybersecurity streamlines the chance evaluation course of, due diligence, and vendor threat administration methods.
Able to see Cybersecurity in motion?
Prepared to avoid wasting time and streamline your belief administration course of?
