How to Meet the Third-party Risk Requirements of NIST CS

NIST CSF, or the National Institute of Standards and Technology Cybersecurity Framework, is a voluntary cybersecurity guidance document designed to help organizations identify and protect their critical information assets. Released in 2014, NIST CSF has become a popular tool for businesses of all sizes as they work to improve their security posture. In this post, we'll take a closer look at what NIST CSF is and how you can use it to protect your organization.

5 Functions of NIST CSF

1. Identify

The Identify Function allows cybersecurity to be managed to ensure it can support the needs of the business. This function helps an organization understand the critical functions, resources, and risks related to those areas to know how best to protect the organization from cybersecurity risks.

2. Protect

The Protect Function allows for appropriate measures to be taken in the event of an attack on the critical infrastructure. These safeguarded services ensure minimal impact from these attacks and support the ability to limit or contain them as needed.

3. Detect

The Detect Function enables enterprises to quickly identify when a cyber-event has occurred to take necessary precautions and respond accordingly.

4. Respond

The Respond Function is responsible for taking action in the event of a detected cybersecurity incident. The ability to contain potential impacts makes this function essential.

5. Recover

The Recover Function is responsible for identifying appropriate activities to maintain plans and restore any impaired capabilities or services due to a cybersecurity incident. The goal of this function should be timely recovery so as not to introduce additional impacts from these events into your business operations.

Is CSF an Appropriate Third-Party Risk Assessment Model for the Organization?

The CSF is an excellent tool for third-party risk management and can be used for any organization. However, it's essential to keep in mind that the CSF is just one model, and not all organizations will find it to be the best fit. Ultimately, whether or not to use the CSF comes down to an organization's specific needs and goals. If an organization is looking for a comprehensive, all-inclusive approach to third-party risk management, the CSF is worth considering. However, if an organization has more specific needs or uses another assessment model (such as NIST), there's no need to switch to the CSF. In short, the CSF is an excellent option for third-party risk management, but it's not necessarily the right choice for every organization.

When assessing whether CSF is a good fit for your organization, consider these three questions:

  1. What is the inherent risk of the activity performed by the third party? Would the activity be less risky if performed by the first party?

  2. What security controls have been adopted by the organization with respect to other globally accepted frameworks (e.g., International Organization for Standardization [ISO], COBIT)? Can these controls be cross-referenced within the CSF?20

  3. Is it feasible for the third party to implement the security control, given the overall business relationship? If not, what is the best workaround that meets the security objective without impairing business functions?

CFS is probably not a great fit if the answer is no to these questions.

Third-Party Risk Requirements in NIST CSF

1. Continuous Monitoring of the Attack Surface

Attack surface monitoring is a critical component of any effective security strategy. By actively monitoring incoming data and assessing risk levels across different systems, organizations can proactively identify potential vulnerabilities and take steps to mitigate risks.

2. Tier Your Vendors

Vendor tiering is an important process for businesses looking to improve their overall security posture. This process involves categorizing different vendors based on their degree of risk criticality, with those deemed most critical getting the majority of the organization's attention and resources.

3. Regularly Evaluate Third-Party Vendors with Security Assessments and Questionnaires

Security assessments and questionnaires are essential tools for evaluating a vendor's cybersecurity practices. They help to uncover any breaches of agreed security standards and any vulnerabilities that attackers could exploit.

4. Track Third-Party Vendor Security Postures with Security Ratings

Security ratings are a valuable tool for security professionals. They can be used to verify the remediation efforts of vendors and as indicators of potential security lapses requiring further investigation.

5. Request the Findings of Regular Third-Party Vendor Pen Tests

To ensure that security standards are met across the entire supply chain, it is essential to implement a regular pen testing schedule into contracts with all vendors. These security tests should cover a range of issues, including access control security, asset management security, federal information system security, and any relevant risk management frameworks. The findings of these tests should be shared with your security team, who will then use this information to evaluate each vendor's recovery plan and determine areas for improvement.

Supply Chain Risk Management (ID.SC)

  • ID.SC-1: Manage the organization's supply chain risk strategy and its operational aspects

Cyber supply chain risk management processes are

identified, established, assessed, managed, and agreed to by organizational stakeholders

  • ID.SC-2: Establish a supply chain risk assessment process

Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk

assessment process.

  • ID.SC-3: Integrate supply chain risk management activities into organizational risk management processes

Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan.

  • ID.SC-4: Define metrics for tracking supply chain risk

Suppliers and third-party partners are routinely assessed using audits, test results, or other evaluations to confirm they are meeting their contractual obligations.

  • ID.SC-5: Implement an automated solution to continuously monitor, evaluate and communicate third parties' compliance with the information security requirements defined by the organization

Response and recovery planning and testing are conducted with suppliers and third-party providers


NIST CSF is a comprehensive model that can manage and assess third-party risk. The five functions of NIST CSF provide a structure for evaluating risk and implementing security controls. While not all organizations will need to implement every function, the framework offers a robust foundation for Third-Party Risk Management and Supply Chain Risk Management. If you are looking for a comprehensive model to help you manage third-party risk, NIST CSF is an excellent option.

Featured Posts
Recent Posts
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Social Icon