美国国家标准与技术研究院 (NIST)800-53 Rev. 5是一套全面的最佳实践安全控制标准,许多组织都将其作为内部安全计划的框架。该标准将 1000 多种不同的控制措施归入控制系列。对于安全、风险管理和审计团队来说,如此广泛的可用控制措施很快就会让他们应接不暇,难以确定哪些是最重要的控制措施。如果您不仅要负责评估自己组织的内部控制,还要评估第三方供应商的内部控制,任务就会变得更加复杂。
In this post we discuss how to organize controls into functions and then identify the 15 most essential NIST controls for assessing third-party supplier or vendor security risk.
组织供应链风险管理 NIST 800-53 控制措施的关键问题
When considering which are the most applicable supply risk management NIST cybersecurity controls, start by answering these questions – sorted into one of the Five Functions in the NIST framework:
- Identify: Has the supplier identified its critical systems and components under a risk management framework? This is the foundation for developing a cybersecurity framework.
- 保护:供应商是否定义并实施了控制措施,以管理对关键系统的访问和可见性?通过积极主动的控制管理来限制或遏制威胁至关重要。
- 检测:供应商对新出现的威胁是否有可视性?识别可能最终影响组织的事件(如事件、弱点和威胁)非常重要。
- 回应:供应商能否识别并处理事故和威胁?这就是采取行动,控制网络安全事件并将其影响降至最低。
- 恢复:供应商是否有能力恢复关键系统和服务?这个问题决定了第三方能否恢复受网络安全事件影响的能力或服务。
供应链风险管理的 15 大 NIST 控制措施
The following table summarizes the 15 key NIST controls that address the questions above, by function. Please note that these are just the minimum of controls. You should consult your auditor for validation.
| 功能 | NIST 800-53 控制 |
|---|---|
| 识别
供应商是否在风险管理框架下确定了其关键系统和组件? |
RA-3:风险评估 – Conduct 风险评估, document the results, and review and update the assessments at defined frequencies.
SA-4:采购流程- 确定新系统采购中的安全和隐私控制措施。 CM-8:系统组件清单--制定并记录准确反映系统的系统组件清单。 SR-2:风险管理计划- 制定供应链风险管理计划。 |
| 保护
供应商是否定义并实施了控制措施,以管理关键系统的访问和可见性? |
SC-7:边界保护 - 监控外部和内部管理界面的通信。
IA-2:识别和授权--唯一识别和认证用户;批准逻辑访问授权。 AT-2:培训和认识- 组织应为系统用户提供安全和隐私培训。 CM-3:变更控制--确定和记录系统变更的类型,记录变更,并进行监控和审查。 AC-3:访问执行--根据访问控制策略,对信息和系统资源的逻辑访问执行经批准的授权。 |
| 检测
Does the supplier have visibility into new and emerging threats? |
RA-5:漏洞监控与扫描 - 监控和扫描系统和托管应用程序的漏洞。
SI-4:系统监控- 应对系统进行监控,以检测攻击和潜在攻击的迹象。 AU-2:事件日志- 确定系统能够记录的事件类型。 CP-2:应急计划--各组织应使用规定的测试方法测试系统的应急计划,以确保计划的有效性。 CP-4:应急测试--通过规定的测试,检验系统应急计划的有效性。 |
| 响应和恢复
供应商能否识别并处理事故和威胁?他们是否有能力恢复关键系统和服务? |
IR-4:事件处理和响应- 各组织应实施与事件响应计划相一致的事件处理能力。 |
如何实施供应链风险管理的 15 大 NIST 控制措施
Identifying the right controls is only half the work. In order to operationalize them across your third-party risk program, you must map each control to specific vendor assessment, monitoring, and remediation capabilities.
Ready to dive deeper? Check out NIST Third-Party Compliance Checklist, which delivers a comprehensive look at how third-party risk management practices map to recommendations outlined in NIST 800-53, NIST 800-161, and NIST CSF.
To see how your current program maps to these controls, request a demo with Mitratech.
常见问题
Which NIST 800-53 control families apply to vendor and third-party risk assessments?
The SR (Supply Chain Risk Management), RA (Risk Assessment), CA (Assessment, Authorization, and Monitoring), and PM (Program Management) control families carry the most direct relevance for vendor assessments. Within those families, the 15 controls outlined in this post represent the minimum baseline for assessing third-party supplier security risk across the five NIST framework functions.
How many controls are in NIST 800-53?
NIST 800-53 Rev. 5 contains more than 1,000 individual controls and control enhancements organized into 20 control families. For third-party supply chain risk management specifically, the SR family is the most directly applicable, though controls from RA, CA, and PM are also commonly assessed in vendor security questionnaires.
How does NIST 800-53 differ from NIST 800-161 for supply chain risk?
NIST 800-53 is a broad security controls catalog applicable to all federal information systems, with a subset of controls relevant to supply chain risk. NIST 800-161 is purpose-built for cybersecurity supply chain risk management (C-SCRM), providing deeper guidance on implementing those controls specifically within a multilevel supply chain context. Organizations typically use 800-53 as the control baseline and 800-161 as the implementation framework.
Editor’s Note: This post was originally published on Prevalent.net. In October 2024, Mitratech acquired the AI-enabled third-party risk management, Prevalent. The content has since been updated in July 2026 to include information aligned with our product offerings, regulatory changes, and compliance.