CONTACT US
Third Party Risk Management - Consultancy, Assessment & Advisory

Monitoring Third-Parties Continuously – A NIST Perspective

NIST released two industry standards to drive security requirements around supply-chain (a.k.a third-party) management. Here’s an overview of the NIST guidelines regarding continuous third-party risk monitoring.

NIST 800-53

NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organisations sets out guidelines and controls for protecting the government’s sensitive information as well as citizens’ personal information from information security and cyber attacks. It aims to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). The controls (operational, technical, and management safeguards ) and guidelines are evolving in accordance with changes in the information and cyber security landscape as well as shifts in infrastructures, and business models. However, the ultimate goal remains the same: To maintain the integrity, confidentiality, and security of federal information systems.

Currently, the draft publication is released for the fifth revision. Some important changes in this revision are:

How NIST 800-53 Views Third Parties

NIST cybersecurity framework diagram

NIST views supply chain risk management as a critical organisational function. Organisational assets need to be protected throughout the system development life cycle. A standardised process need to be addressed with respect to supply-chain risk of information systems and system components. Another important process is to educate the acquisition workforce on threats, risk, and required security controls. 

Most of the supply-chain related controls are listed under System and Services Acquisition Policy and Procedures of NIST 800-53 and in particular SA-12 controls. 

Organisations can leverage these controls; 

NIST Supply-Chain Risk Management in a Nutshell

1.  Employ organisation-defined tailored acquisition strategies, for the purchase of the information system and/or  system component

2. Conduct a supplier review prior to entering into a contractual agreement

3.  Employ security safeguards to limit harm from potential adversaries  

4.  Conduct an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

5. Use all-source intelligence analysis (inc. OSINT) of suppliers and potential suppliers of the information system

6. Employ at least one of those: organisational analysis, independent third-party analysis, organisational penetration testing, independent third-party penetration testing

NIST Cyber Security Framework (CSF)

In April 2018, NIST updated its cybersecurity framework, clarifying and enhancing some of its requirements. An important part of the update is on expanding the Cyber Supply-Chain Risk Management process and additional section Buying Decision.

This framework can be seen as a common language aiming to improve “risk and cybersecurity communications” both internally, a.k.a. from server room to the board room, and across stakeholders. It is an inclusive framework that can be used across many businesses and different domains.  

The framework simplifies the cybersecurity functionalities within an organisation by narrowing down to five functionalities; Identify, Protect, Detect, Respond, and Recover, following similar steps to that of NIST SP 800-53. 

Section 3.3, Communicating Cybersecurity Requirements with Stakeholders, explains how to use the framework to manage supply chain risk.

Cyber SCRM addresses both the cybersecurity effect an organisation has on external parties and the cybersecurity effect external parties have on an organisation.  Organisations can communicate through the Current Profile or Target Profile to express its cybersecurity state/requirements either with their existing or prospective suppliers.

Most of the supplier-related actions are contained in the Identify (Supply-Chain Risk Management) Functionality of the framework. 

Cyber SCRM activities may include: 

How DVV Solutions and Black Kite can help

Comprehensive Cyber Risk Rating

Black Kite cyber rating can be directly leveraged in the whole supply-chain risk management process that is covered under SA-12 of NIST 800-53 and Supply Chain Risk Management function of NIST CSF.

Compliance Module

Knowing the cybersecurity maturity level by assessing compliance levels is a key component in reducing third-party risks. Black Kite’s standards-based approach makes it easy to estimate and assess the compliance levels of third parties. Black Kite correlates cyber risk findings to industry standards and best practices. The classification allows organisations to measure the compliance level of any company for different regulations and standards including NIST 800-53, ISO27001, PCI-DSS, HIPAA,  GDPR, and Shared Assessments.

Probable Financial Impact Rating based on Open FAIR

Black Kite cyber assessment ratings FAIR model risk evaluation
Calculating probable financial impact form a cybersecurity breach

Black Kite uses Open FAIR model to calculate the probable financial impact if a third-party vendor, partner or supplier experiences a breach. It communicates risks in quantitative, easy-to-understand business terms. Open FAIR has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk, meeting the criteria of “..implementing a standardised process to address supply chain risk” of NIST 800-53 SA-12.

Black Kite Features to Utilise in NIST compliance

The below table summarises how Black Kite can be utilised to understand the compliance level of third parties for NIST control items.

NIST control items in Black Kite cyber security assessments

Start, Grow and Optimise Your TPRM Program Today

Black Kite Cyber Risk Rating TPCRM Program

Black Kite’s automated compliance correlation has helped hundreds of organisations save time, money and resources by automatically measuring PCI compliance levels for any vendor within their cyber ecosystem.

Register Now and receive a complimentary Technical, Financial, and Compliance rating of your company or any supplier in your ecosystem.

For more information on how DVV Solutions can mature and scale your Third Party Risk and Compliance Program:

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form, or

Learn more about What We Do


This article was originally published by Black Kite and is shared with their kind permission.