Third Party Risk Management - Consultancy, Assessment & Advisory

Monitoring Third-Parties Continuously: A NIST Perspective

NIST Third-Party Continuous MonitoringNIST released two industry standards to drive security requirements around supply-chain (a.k.a Third-Party) management. Here’s an overview of the NIST guidelines regarding continuous Third-Party risk monitoring.


NIST 800-53

NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organisations sets out guidelines and controls for protecting the government’s sensitive information as well as citizens’ personal information from information security and cyber attacks. It aims to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA).

The controls (operational, technical, and management safeguards ) and guidelines are evolving in accordance with changes in the information and cyber security landscape as well as shifts in infrastructures, and business models. However, the ultimate goal remains the same: To maintain the integrity, confidentiality, and security of federal information systems.

Currently, the draft publication is released for the fifth revision. Some important changes in this revision are:


How NIST 800-53 Views Third-Parties

NIST views supply chain risk management as a critical organisational function. Organisational assets need to be protected throughout the system development life cycle. A standardised process need to be addressed with respect to supply-chain risk of information systems and system components. Another important process is to educate the acquisition workforce on threats, risk, and required security controls.

Most of the supply-chain related controls are listed under System and Services Acquisition Policy and Procedures of NIST 800-53 and in particular SA-12 controls.

Organisations can leverage these controls;


NIST Supply-Chain Risk Management in a Nutshell

  1. Employ organisation-defined tailored acquisition strategies, for the purchase of the information system and/or system component
  2. Conduct a supplier review prior to entering into a contractual agreement
  3. Employ security safeguards to limit harm from potential adversaries
  4. Conduct an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.
  5. Use all-source intelligence analysis (inc. OSINT) of suppliers and potential suppliers of the information system
  6. Employ at least one of those: organisational analysis, independent Third-Party analysis, organisational penetration testing, independent Third-Party penetration testing


NIST Cyber Security Framework (CSF)

NIST Cyber Security Framework Version 1.1In April 2018, NIST updated its cybersecurity framework, clarifying and enhancing some of its requirements. An important part of the update is on expanding the Cyber Supply-Chain Risk Management process and additional section Buying Decision.

This framework can be seen as a common language aiming to improve “risk and cybersecurity communications” both internally, a.k.a. from server room to the board room, and across stakeholders. It is an inclusive framework that can be used across many businesses and different domains.

The framework simplifies the cybersecurity functionalities within an organisation by narrowing down to five functionalities; Identify, Protect, Detect, Respond, and Recover, following similar steps to that of NIST SP 800-53.

Section 3.3, Communicating Cybersecurity Requirements with Stakeholders, explains how to use the framework to manage supply chain risk.

Cyber SCRM addresses both the cybersecurity effect an organisation has on external parties and the cybersecurity effect external parties have on an organisation. Organisations can communicate through the Current Profile or Target Profile to express its cybersecurity state/requirements either with their existing or prospective suppliers.

Most of the supplier-related actions are contained in the Identify (Supply-Chain Risk Management) Functionality of the framework.

Cyber SCRM activities may include:


How DVV Solutions and NormShield Can Help

Comprehensive Cyber Risk Ratings

NormShield cyber ratings can be directly leveraged in the whole supply-chain risk management process that is covered under SA-12 of NIST 800-53 and Supply Chain Risk Management function of NIST CSF.

Compliance Module

Knowing the cybersecurity maturity level by assessing compliance levels is a key component in reducing Third-Party risks. NormShield’s standards-based approach makes it easy to estimate and assess compliance levels of Third-Parties. NormShield correlates cyber risk findings to industry standards and best practices. The classification allows organisations to measure the compliance level of any company for different regulations and standards including NIST 800-53, ISO27001, PCI-DSS, HIPAA, GDPR, and Shared Assessments.

NormShield FAIR Risk Valuation A

Probable Financial Impact Rating based on Open FAIR

NormShield uses Open FAIR model to calculate the probable financial impact if a Third-Party vendor, partner or supplier experiences a breach.

It communicates risks in quantitative, easy-to-understand business terms.

Open FAIR has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk, meeting the criteria of “..implementing a standardised process to address supply chain risk” of NIST 800-53 SA-12.

Request your FREE FAIR Report


A Summary of NormShield Features to Utilise

The below table summarises how NormShield can be utilised to understand the compliance level of Third-Parties for NIST control items. NormShield NIST Comparison Chart


This blog was originally published by NormShield and is shared with their kind permission.


About NormShield

NormShield enables enterprises to monitor their external cyber risk posture and perform non-intrusive cyber risk assessments of their suppliers, subsidiaries and target acquisitions. Using easy-to-understand reports, we provide standards-based letter grades on various risk categories, along with data on how to mitigate each risk in priority order. Learn more at