Third-Party Risk Management for NIST 800-53 Rev. 5

Blog 10 MINS | November 26, 2019
Third-Party Risk Management for NIST 800-53 Rev. 5

The National Institute of Standards and Technology (NIST) 800 Special Publication 53 (revision 5)– “Security and Privacy Controls for Information Systems and Organizations”– sets forth the privacy and security controls that organizations should implement to safeguard their information systems.  It includes controls to evaluate, monitor, and mitigate risks related to suppliers and other third parties. Industries and organizations across the private sector widely accept and rely on NIST guidance.

Demonstrating adherence to NIST 800-53’s third-party risk controls is important to meet your organization’s objectives, internal policies, and regulatory or legal requirements. We outline what you need to know about NIST 800-53 and third-party risks.

Is your organization NIST 800-53 ready? Download our NIST 800-53 compliance checklist today to find out.

How does NIST 800-53 impact third-party risk management?

The NIST framework provides guidance on third-party risk management, generally referred to as supply chain risk management, to help organizations establish and implement controls to protect their information systems and the data within them.  These controls aim to ensure that organizations properly vet the privacy and security implications of the third parties that develop, deploy, and maintain information system technologies, or otherwise supply and handle information assets. With respect to third-party risks, NIST 800-53 covers, among other things, the following:

  • Supply chain risk management and plans

  • External system service providers
  • Risk assessments of third parties and outsourced service providers
  • Incident handling, reporting, and response plans, as well as contingency plans
  • Information sharing with external parties

Risk Assessment and Monitoring

To adhere with NIST 800-53, organizations should put in place policies and procedures to evaluate any supply chain risk associated with third parties and update them periodically.  The assessments should incorporate criticality, threat, and vulnerability analyses, addressing privacy-related problems.  With the appropriate allocation of resources, implementation of checks and balances, and creation of contingency plans created, organizations can better monitor their supply chain risk over time.

External Personnel Security & System Services

NIST 800-53 requires that organizations implement controls for evaluating personnel security requirements and monitoring their compliance with established security policies, including those that are external providers.  Organizations should document their external personnel security policies and procedures.  The organizations should establish monitoring procedures to ensure service providers’ compliance with the defined privacy and security controls.

Incident Response

Organizations seeking to demonstrate and maintain compliance with NIST 800-53 should have a documented plan in place for handling and responding to any supply chain events or incidents.  The plan should include, among others, procedures for communicating the incidents with the proper team members and/or external providers.  Among other measures, organizations should establish a direct, cooperative relationship between their incident response capability and their external providers’ capabilities.

What third-party risk management challenges does NIST 800-53 present?

The NIST framework calls for assessing, monitoring, and mitigating risks associated with every part of the supply chain. Consequently, the need to gather and document all the necessary details can be cumbersome.  Organizations must be able to properly evaluate the third parties, despite having little visibility into those parties’ internal operations.

How OneTrust Vendorpedia helps with NIST 800-53 compliance?

OneTrust Vendorpedia provides organizations with an effective and efficient process to collect, organize, and analyze the risks associated with their third parties.  With our Risk Exchange and Chasing Service capabilities, organizations can minimize the amount of time and effort they use to collect the information concerning their third parties. Vendorpedia also allows organizations to automate their supply chain risk assessments, monitor supplier and risk changes, and mitigate risks, allowing them to scale their operations easily and quickly. Request a demo today!