A Guide to the Recent Updates in the NIST Cybersecurity Framework

Ex2: Develop the cybersecurity supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the
policies and procedures with the organizational stakeholders

Ex3: Develop and implement program processes based on the strategy, objectives, policies, and procedures that are agreed upon and performed by the organizational stakeholders

Ex4: Establish a cross-organizational mechanism that ensures alignment between functions that contribute to cybersecurity supply chain risk management, such as cybersecurity, IT, legal, human resources, and
engineering

Ex2: Document cybersecurity supply chain risk management roles and responsibilities in policy

Ex3: Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and
informed

Ex4: Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability

Ex5: Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance

Ex6: Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements

Ex8: Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers

Ex2: Establish integrated control sets for cybersecurity risk management and cybersecurity supply chain risk management

Ex3: Integrate cybersecurity supply chain risk management into improvement processes

Ex4: Escalate material cybersecurity risks in supply chains to senior management, and address them at the enterprise risk management level

Ex2: Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language

Ex3: Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in contracts

Ex4: Manage risk by including security requirements in contracts based on their criticality and potential impact if compromised

Ex6: Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service

Ex7: Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products

Ex8: Contractually require suppliers to vet their employees and guard against insider threats

Ex9: Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections

Ex10: Specify in contracts the rights and responsibilities of the organization, its suppliers, and applicable lower-tier suppliers and supply chains, with respect to potential cybersecurity risks

Ex2: Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers

Ex3: Conduct supplier risk assessments against business and applicable cybersecurity requirements, including lower-tier suppliers and the supply chain for critical suppliers

Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use

Ex3: Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections,
audits, tests, or other forms of evaluation

Ex4: Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly

Ex5: Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity

Ex2: Identify and document the roles and responsibilities of the organization and its suppliers for incident response

Ex3: Include critical suppliers in incident response exercises and simulations

Ex4: Define and coordinate crisis communication methods and protocols between the organization and its critical suppliers

Ex5: Conduct collaborative lessons learned sessions with critical suppliers

Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic.

Ex3: Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software
providers

Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products

Ex2: Define and implement plans for component end-of-life maintenance support and obsolescence

Ex3: Verify that supplier access to organization resources is deactivated promptly when it is no longer needed

Ex4: Verify that assets containing the organization’s data are returned or properly disposed of in a timely, controlled, and safe manner

Ex5: Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account

Ex6: Mitigate risks to data and systems created by supplier termination

Ex7: Manage data leakage risks associated with supplier termination

GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes

GV.SC-04: Suppliers are known and prioritized by criticality

Seek out experts to collaborate with your team on:

• Defining and implementing TPRM and C-SCRM processes and solutions
• Selecting risk assessment questionnaires and frameworks
• Optimizing your program to address the entire third- party risk lifecycle – from sourcing and due diligence to termination and offboarding according to your organization’s risk appetite

As part of this process, you should define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories
• Risk scoring and thresholds based on your organization’s risk tolerance.

Start by quantifying inherent risks for all thirdparties Criteria used to calculate inherent risk for third-party prioritization includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

• Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders and status- with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly

As all service providers are being centralized and reviewed, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

This level of due diligence creates greater context for making vendor selection decisions

Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third risks throughout the relationshiplifecycle.

Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Be sure to incorporate third-party operational, reputational and financial data to add context to cyber findings and measure the impact of incidents over time.

(continued on next page)

Key capabilities in a third-party incident response service include:

• Continuously updated and customizable event and incident management questionnaires
• Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactive vendor reporting
• Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
• Built-in reporting templates for internal and external stakeholders
• Guidance from built-in remediation recommendations to reduce risk
• Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-riskdata

Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world -including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging experts

• Schedule tasks to review contracts to ensure all obligations have been met
• Issue contract assessments to evaluate status
• Leverage surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, etc.
• Centrally store and manage documents and certifications, such as NDAs, SLAS, SOWs and contracts
• Analyze documents to confirm key criteria are addressed
• Take actionable steps to reduce vendor risk with remediation recommendations and guidance
• Visualize and address compliance requirements by automatically mapping assessment results to regulations and frameworks

• Continuously assessing and monitoring the potentiaL risks the service provider introduces into your environment; and making recommendations to mitigate the impact of those risks
• Monitoring service levels, key performance indicators (KPIs) and key risk indicators (KRIs) to ensure adherence to contractual agreements
• Securely offboarding service providers to ensure data and system security post-contract termination

ID.RA-03: Internal and external threats to the organization are identified and recorded

ID.RA-04: Potential impacts and likelihoods of threats

Monitoring sources typically include:

• Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials – as well as several security communities,
• Databases containing several years of data breach history for thousands of companies around the world

(Continued on next page)

ID.RA-06: Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated

ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to alikelihood and impact model. This model should frame risks into a matrix, so you
can easily see the highest impact risks and can prioritize remediation efforts on those

Assign owners and track risks and remediations to a level acceptable to the business

DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis

DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria

RS.CO-03: Information is shared with designated internal and external stakeholders