Supply chain security incidents dominate the headlines, with a new breach announced every day—whether a software intrusion like SolarWinds or Okta or a supply chain attack like Toyota. More recently, Microsoft announced an intrusion related to a compromised key that granted illicit access to customer data.
With the continued pace of third-party attacks, security teams are left asking: What could possibly happen next?
NIST CSF and Third-Party Risk Management
For many organizations, the answer is: You need to get your third-party risk management (TPRM) house in order by leveraging best practices, guidance, and benchmarks. Often, that guidance comes from common cybersecurity frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Now that the NIST CSF version 2.0 has been finalized, significant changes will impact how you design and implement your TPRM program to address these risks.
In this post, I will examine the most impactful third-party risk management (TPRM) and C-SCRM changes to the NIST CSF, review its Core Functions, and recommend best practices for implementing it as part of your third-party risk management program.
3 Impactful TPRM Updates in NIST CSF Version 2.0
1. New Govern Function
The introduction of the Govern Function illustrates how critical cybersecurity governance is to managing and reducing cybersecurity risk in supply chains. Previous governance content found in the other Functions – Identify, Protect, Detect, Response, and Recover – has been moved into the Govern Function. With the proposed changes, cybersecurity governance includes:
- Determining priorities and risk tolerances of the organization, customers, and society
- Assessing cybersecurity risks and impacts (including for third parties)
- Establishing cybersecurity policies and procedures
- Understanding cybersecurity roles and responsibilities
According to NIST, these activities are critical to detecting, responding to, and recovering from cybersecurity-related events and incidents – as well as to overseeing teams who carry out cybersecurity activities for the organization.
As organizations increasingly depend on third parties for essential services and technologies, strong governance becomes critical for managing these risks in a structured and consistent manner. Including the Govern Function in NIST CSF 2.0 supports this need by aligning third-party risk management practices with broader corporate governance frameworks.
Key Third-Party Risk Management Features of the Govern Function:
A dedicated governance Function will help align and integrate third-party cybersecurity activities and processes across third-party risk management, enterprise risk management, and legal teams. Some aspects to note include:
Enhanced Accountability and Decision-Making:
CSF 2.0’s Govern Function highlights the importance of defining clear roles and responsibilities within cybersecurity programs, particularly for managing third-party risks. By establishing accountability, organizations can integrate third-party risk management into the overall governance framework, preventing it from becoming fragmented. It encourages assigning responsibility for vendor risk assessment, contract management, and ongoing compliance monitoring, reducing vulnerabilities. Additionally, the Govern Function promotes formal processes for evaluating third-party risks and making informed decisions about vendor selection and oversight, ensuring these choices align with the organization’s risk tolerance and cybersecurity goals.
Policy Development and Compliance:
The Govern Function encourages organizations to create policies covering all aspects of third-party risk management, from vendor selection to continuous monitoring and incident response. These policies ensure that vendors meet security requirements, such as adhering to specific standards, undergoing audits, or implementing security controls. Additionally, the Govern Function addresses compliance with both internal policies and external regulations, helping organizations align third-party risk management with industry standards like HIPAA or FFIEC to ensure compliance and avoid penalties.
Risk Oversight and Continuous Improvement:
NIST CSF 2.0 governance emphasizes the importance of continuous oversight and improvement in third-party risk management. This is also highlighted in the Improvement section of the Identify category. The Govern Function urges organizations to establish processes for regularly reviewing and updating their third-party risk management practices. This allows organizations to adapt strategies as the threat landscape and third-party relationships evolve.
Continuous improvement may include reassessing vendors’ security postures, conducting audits, and reviewing third-party incident reports. It also involves updating contracts and service-level agreements (SLAs) to address new cybersecurity risks or regulatory requirements. Embedding these activities into governance ensures continuous monitoring and mitigation of third-party risks.
2. Increased Roles for Legal and Compliance Teams
Consistent with the addition of the Govern Function, CSF 2.0 emphasizes the role of legal and compliance teams. For TPRM, these groups require accurate and timely reporting from suppliers, vendors, and other third-party organizations that may have access to sensitive data, systems, and applications.
3. Enhanced Guidance on Supply Chain Risks
The most impactful CSF 2.0 update for TPRM teams is the enhanced guidance on managing supply chain risks. CSF 2.0 includes additional cybersecurity supply chain risk management (C-SCRM) outcomes to help organizations address these distinct risks. According to the CSF, “The primary objective of C-SCRM is to extend appropriate first-party cybersecurity risk management considerations to third parties, supply chains, and products and services an organization acquires, based on supplier criticality and risk assessment.”
The supply chain risk management category has been expanded into the new Govern Function. It includes new provisions incorporating cybersecurity into contracts, contract termination, and continuous evaluation of third-party risks across the organization’s environment.
Next Steps: Download the Complete NIST CSF 2.0 Checklist
Finalized in February of 2024, version 2.0 can help organizations better incorporate comprehensive TPRM and C-SCRM into their operations, from governance to risk management and cybersecurity. By formalizing governance structures around third-party relationships, ensuring accountability, developing robust policies, and promoting continuous oversight, CSF 2.0 provides a comprehensive framework for addressing the complex risks posed by third parties.
Watch my on-demand webinar with Prevalent to learn more about how NIST CSF 2.0 incorporates TPRM and cybersecurity supply chain risk management controls. I also invite you to download the comprehensive NIST CSF 2.0 checklist developed by Prevalent. It examines the Govern Function and its supply chain risk management controls in detail.
For more on the Prevalent TPRM solution for NIST CSF 2.0, schedule a demonstration with them today.
The NIST CSF Structure
The CSF is organized into six Core Functions: Govern, Identify, Protect, Detect, Respond and Recover. The Core Functions are outcome-oriented and not considered a checklist of actions by NIST. For an illustration of the Core Functions, see the graphic below.
The six Core Functions of the NIST Cybersecurity Framework. Courtesy: NIST.
1. Govern
A new Function introduced with version 2.0, Govern is foundational and designed to inform how an organization will achieve and prioritize the outcomes of the other five Functions in the context of its broader enterprise risk management strategy. It includes oversight of the cybersecurity strategy, roles, responsibilities, policies, processes, and procedures, and it centralizes cybersecurity supply chain risk management guidance.
2. Identify
The Identify Function is designed to establish an understanding of an organization’s assets (e.g., data, hardware, software, systems, facilities, services, and people) and the related cybersecurity risks.
3. Protect
The Protect Function offers specific guidance to secure assets to reduce the likelihood and impact of adverse cybersecurity events. Included here are topics such as awareness and training, data security, identity management, authentication and access control, platform security (i.e., securing the hardware, software, and services of physical and virtual platforms), and the resilience of technology infrastructure.
4. Detect
The Detect Function is meant to enable the discovery and analysis of anomalies, indicators of compromise, and other potentially adverse cybersecurity events.
5. Respond
The Respond Function includes guidelines for containing the impact of cybersecurity incidents, such as incident management, analysis, mitigation, reporting, and communication.
6. Recover
The Recover Function includes guidelines for restoring normal operations to reduce the impact of cybersecurity incidents.
Nearly every Function includes Categories and Subcategories that directly apply to third-party risk management and cybersecurity supply chain risk management. For example, the Identify Function focuses more on asset and risk identification, including third-party systems and services. Organizations are encouraged to perform due diligence on third parties to identify vulnerabilities and ensure compliance with cybersecurity standards. The Protect and Detect Functions provide guidelines on implementing security controls to mitigate third-party risks, such as monitoring access and ensuring vendor adherence to security policies.
The Govern Function: Cybersecurity Supply Chain Risk Management in Depth
Note: This is a summary table only and is not an exhaustive list of NIST Categories. For a full view of the NIST CSF, download the complete version. Work with your internal audit team and external auditors to determine the right Categories and Subcategories to focus on.
| Funktion, Kategorie und Unterkategorie | Bewährte Praktiken |
|---|---|
| GOVERN (GV): Die Strategie, Erwartungen und Richtlinien der Organisation für das Management von Cybersecurity-Risiken werden festgelegt, kommuniziert und überwacht. | |
| Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | |
| GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | Erstellen Sie ein umfassendes Programm für das Risikomanagement von Drittanbietern (TPRM) oder für das Risikomanagement in der Cybersecurity-Lieferkette (C-SCRM), das mit Ihren umfassenderen Programmen für Informationssicherheit und Governance, Unternehmensrisikomanagement und Compliance übereinstimmt. * Seek out experts to collaborate with your team on: As part of this process, you should define: |
| GV.SC-04: Suppliers are known and prioritized by criticality | Centralize your third-party inventory in a software solution. Then, quantify inherent risks for all third parties. Criteria used to calculate inherent risk for third-party prioritization should include: * Type of content required to validate controls Auf der Grundlage dieser inhärenten Risikobewertung kann Ihr Team die Lieferanten automatisch in eine bestimmte Kategorie einordnen, angemessene Stufen für die weitere Prüfung festlegen und den Umfang der laufenden Bewertungen bestimmen. Rule-based tiering logic should enable vendor categorization using a range of data interaction, financial, regulatory, and reputational considerations. |
| GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | Zentralisierung der Verteilung, Diskussion, Aufbewahrung und Überprüfung von vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities should include: * Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views Mit dieser Funktion können Sie sicherstellen, dass klare Verantwortlichkeiten und Prüfungsklauseln im Anbietervertrag festgelegt und die SLAs entsprechend verfolgt und verwaltet werden. |
| GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | Centralize and automate the distribution, comparison and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables comparison on key attributes. Da alle Dienstanbieter zentralisiert und überprüft werden, sollten die Teams umfassende Anbieterprofile erstellen, die Einblicke in die demografischen Informationen eines Anbieters, Technologien von Drittanbietern, ESG-Bewertungen, jüngste Geschäfts- und Reputationseinblicke, Datenverletzungen und die jüngste finanzielle Leistung enthalten. Dieses Maß an Sorgfaltspflicht schafft einen größeren Kontext für Entscheidungen bei der Anbieterauswahl. |
| GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | Look for solutions that feature a large library of pre-built templates for Risikobewertungen durch Dritte. Assessments should be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes. Bewertungen sollten zentral verwaltet werden und durch Workflow-, Aufgabenmanagement- und automatisierte Beweisüberprüfungsfunktionen unterstützt werden, um sicherzustellen, dass Ihr Team während des gesamten Beziehungslebenszyklus Einblick in die Risiken Dritter hat. Wichtig ist, dass eine TPRM-Lösung integrierte Empfehlungen für Abhilfemaßnahmen auf der Grundlage von Risikobewertungsergebnissen enthält, um sicherzustellen, dass Ihre Drittparteien die Risiken rechtzeitig und in zufriedenstellender Weise angehen und den Prüfern die entsprechenden Nachweise vorlegen können. As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Alle Überwachungsdaten sollten mit den Bewertungsergebnissen korreliert und in einem einheitlichen Risikoregister für jeden Anbieter zentralisiert werden, um die Risikoprüfung, Berichterstattung, Abhilfemaßnahmen und Reaktionsinitiativen zu rationalisieren. Achten Sie darauf, Betriebs-, Reputations- und Finanzdaten Dritter einzubeziehen, um den Cyber-Ergebnissen einen Kontext zu geben und die Auswirkungen von Vorfällen im Laufe der Zeit zu messen. |
| GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Look for managed services where dedicated experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate risks with continuous cyber monitoring intelligence; and issue remediation guidance. Managed services can greatly reduce the time required to identify vendors impacted by a cybersecurity incident and ensure that remediations are in place. Zu den wichtigsten Funktionen eines Drittanbieters für die Reaktion auf Zwischenfälle sollten gehören: * Continuously updated and customizable event and incident management questionnaires Ziehen Sie auch die Nutzung von Datenbanken in Betracht, die mehrere Jahre lang Datenverletzungen für Tausende von Unternehmen auf der ganzen Welt enthalten - einschließlich der Art und Menge der gestohlenen Daten, der Einhaltung von Vorschriften und gesetzlichen Bestimmungen sowie der Echtzeit-Benachrichtigungen von Anbietern über Datenverletzungen. Mit diesen Erkenntnissen kann Ihr Team den Umfang und die Auswirkungen des Vorfalls besser verstehen, welche Daten betroffen waren, ob der Betrieb des Drittanbieters beeinträchtigt wurde und wann die Abhilfemaßnahmen abgeschlossen sind - und das alles mit Hilfe von Experten. |
| GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | Please see GV.SC-01 and GV.SC-02. |
| GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | Building on the best practices recommended for GV.SC-05, automate contract assessments and Offboarding Verfahren zur Verringerung des Risikos für Ihr Unternehmen nach Vertragsabschluss. * Schedule tasks to review contracts to ensure all obligations have been met |
Anmerkung der Redaktion: Dieser Beitrag wurde ursprünglich auf Prevalent.net veröffentlicht. Im Oktober 2024 übernahm Mitratech das KI-gestützte Risikomanagement für Dritte, Prevalent. Der Inhalt wurde seitdem aktualisiert und enthält nun Informationen, die auf unser Produktangebot, regulatorische Änderungen und Compliance abgestimmt sind.
