NIST CSF Background
The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) because of Presidential Executive Order 13636, which was signed in 2013. This voluntary guidance is based on existing standards, guidelines, and practices to help organizations better manage and reduce Information Security risk. Another benefit is an increased level of communication around information security with both internal and external organizational stakeholders.
NIST CSF 1.0 vs. 1.1
The first version of the NIST CSF has served us well since its adoption in 2014. 5 years has passed, and the threat landscape has not been stagnant. Because of this a new version, v1.1, was adopted in 2018. Much of the framework still resembles the original v1.0 framework with changes to language that more clearly states the control(s) intent. There are some additional categories added to v1.1 that are a result of the current emerging threats facing many organizations. Supply Chain Risk Management ID.SC (Vendor Risk Management) is an area that certainly deserves to be formally addressed by the new framework.
There are 5 sub-categories that fall under ID.SC. Let’s dig a little into each category and look at what this means from a practical standpoint.
Supply Chain Risk Management (ID.SC)
“The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”
Translation – Your organization formally addresses the risks associated with using 3rd party vendors to support your business initiatives. The process is formal and has structure to ensure you evaluate all vendors, not just the ones you feel are important.
|ID.SC Subsection||NIST Language||Explained|
|ID.SC-1||Cyber supply chain risk management processes are |
identified, established, assessed, managed, and
|Executive management requires that Vendor Risk |
|ID.SC-2||Suppliers and third-party partners of information |
systems, components, and services are identified,
prioritized, and assessed using a cyber supply chain risk
|Every vendor has been identified and classified (|
criteria initially with more scrutiny applied based on risk levels introduced.
|ID.SC-3||Contracts with suppliers and third-party partners |
|You can use contracts to ensure 3rd party suppliers |
|ID.SC-4||Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations|
to confirm they are meeting their contractual obligations.
|In ID.SC-2 above, you initially evaluate 3rd party vendors and assign a risk level. That process should be repeated on a regular (annual) basis. You can focus on the higher risk vendors but you need to consider ALL vendors, even the low-risk ones.|
|ID.SC-5||Response and recovery planning and testing are |
conducted with suppliers and third-party providers
|High-risk vendors, ones that could cause grave harm to |
your organization, should be tested for response and
recovery assurances. You don’t want their lack of
planning and preparedness to negatively affect your
OK, Now what?
Once you determine that you will follow these sound information security principals, you will need a way to do so. Traditionally, questionnaire forms and spreadsheets were used to track vendor risk. Because of the explosion of 3rd party vendor use, this process is no longer a viable solution. SecurityStudio allows you to address the new NIST CSF – Supply Chain Risk Management (ID.SC) guidelines. The once cumbersome process is greatly simplified, efficient and thorough, which puts you in a defensible position.