With each revision of 800-53, the security and data privacy controls outlined within the NIST 800-53 risk management framework have evolved in response to an increasing number of breaches caused by supplier-related issues.
By complying with NIST 800-53, organisations align with the Federal Information Security Modernisation Act (FISMA) and the Federal Information Processing Standard Publication 200 (FIPS 200). For those organisations not affiliated with the US federal government, NIST 800-53 is a voluntary but highly respected framework to align with.
NIST 800-53 Risk Management Framework Controls
Below, we have identified a selection of the NIST supply chain controls that organisations may choose to prioritise in order to mitigate risk and meet NIST recommendations, broken down by function.
Function: Identify
NIST vendor risk management requires establishing whether a supplier or vendor has taken steps to identify critical systems and components using a risk management framework.
CM-8: System Component Inventory
Developing and documenting an inventory of system components to provide an accurate reflection of systems. System components are discrete, identifiable information technology assets consisting of hardware, software and firmware.
RA-3: Risk Assessment
Conducting risk assessments, documenting their results and reviewing and updating assessments regularly.
NIST risk assessments take threats, vulnerabilities, likelihood and impact on organisational operations and assets into account, as well the impact on individuals, other organisations and even nations. Risk assessments consider third party risks from external parties.
Risk assessments can be conducted at all three levels of the risk management hierarchy and at any stage in the system development life cycle. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.
SA-4: Acquisition Process
Identifying relevant security and privacy controls is an integral part of any new system acquisition. Security and privacy functional requirements are typically derived from those described in SA-2.
SR-2: Risk Management plan
Developing an NIST risk management plan for the supply chain.
Any level of dependence on products, systems, and services from external providers increases risk to an organisation. Supply chain risks can be endemic or systemic, within a system element or component, a system, an organisation, a sector or the nation.
NIST Supply chain risk management (SCRM) activities include:
- Identifying and assessing risks
- Determining appropriate risk response actions
- Developing plans to document response actions
- Monitoring performance against plans.
SCRM plans should be tailored to the individual programme, organisational, and operational contexts. This is because supply chains can differ significantly across and within organisations.
Tailored risk management plans enable organisations to focus resource on the most critical mission and business functions based on key business requirements and the risk environment.
Function: Protect
Establishing whether a supplier has defined and implemented controls to manage access to, and visibility of, critical systems.
AC-3: Access Enforcement
Enforcing approved authorisation based on logical access to information and system resources that are defined by access control policies.
AT-2: Training and Awareness
Delivering security and privacy training to system users within organisations.
Training should provide basic and advanced levels of literacy training to system users, including measures that test the knowledge level of users based on role requirements and organisational needs.
Training should also be updated at regular intervals, to include:
- Topical information on recent attack schemes
- Changes to organisational security and privacy policies
- Revised security and privacy expectations.
CM-3: Configuration Change Control
Determining and documenting the types of changes and remediation work required for systems, the processes for managing configuration changes and the process for reviewing changes.
IA-2: Identification and Authorisation
Creating identification and authentication requirements for users, including approved authorisation for logical access.
Organisational users include employees or individuals considered to have an equivalent status to employees, such as contractors and guest researchers.
Unique identification and authentication of users applies to all accesses other than those explicitly identified in AC-14 and that occur through the authorised use of group authenticators without individual authentication.
Access to organisational systems is defined as either local access or network access (including remote access). Identification and authentication requirements for non-organisational users are described in IA-8.
SC-7: Boundary Protection
Monitoring and controlling communications at the external and internal managed interfaces. This can include gateways, firewalls, guards, routers, network-based malicious code analysis, virtualisation systems, or encrypted tunnels implemented within a security architecture.
The restriction of interfaces within organisational systems also includes restricting external web traffic to designated web servers within managed interfaces.
Function: Detect
Establishing whether a supplier has visibility into new and emerging threats.
AU-2: Event Logging
Identifying events that systems are able to log.
Event logging should begin with those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging should also meet specific monitoring and auditing needs.
Password changes, administrative privilege usage, failed logons or failed accesses related to systems, security or privacy attribute changes, PIV credential usage, query parameters, data action changes and external credential usage are all examples of relevant event types.
It’s necessary to review and update the set of logged events to ensure they remain relevant and continue to support the needs of the organisation.
CP-2: Contingency Planning
Testing contingency plans for systems through a series of defined test that ensure the plan’s effectiveness.
Contingency planning for systems is part of an overall program for achieving continuity of operations that deliver on an organisation’s mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes in the event that systems are compromised or breached.
By coordinating contingency planning with incident handling activities, organisations can help to ensure that the necessary planning activities are in place and activated should an incident occur.
CP-4: Contingency Testing
Testing the contingency plan for systems to identify potential weaknesses.
In order to determine the effectiveness of plans and identify potential weaknesses, testing of contingency plans can include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises.
Organisations are given flexibility and discretion in defining the breadth, depth, and timelines for any corrective actions required as a result of testing.
RA-5: Vulnerability Monitoring and Scanning
Monitoring and scanning for system vulnerabilities and vulnerabilities on hosted applications.
The frequency and comprehensiveness of vulnerability monitoring is guided by the security categorisation of information and systems within an organisation. This control also assesses the capability to readily update monitoring tools as new vulnerabilities are discovered and as new scanning methods are developed.
Vulnerability monitoring includes scanning for patch levels, functions, ports, protocols, and services that should not be accessible to users or devices. It also includes scanning for flow control mechanisms that aren’t configured or functioning correctly.
SI-4: System Monitoring
Monitoring systems to detect attacks and indicate the potential for attacks.
System monitoring includes both external and internal monitoring. System monitoring capabilities are achieved through a number of techniques and tools, including intrusion detection and prevention systems, scanning tools, malicious code protection software, scanning tools, network monitoring software and audit record monitoring.
Function: Respond and Recover
Establishing whether a supplier is able to identify and manage incidents and threats, with the ability to recover critical systems and services.
IR-4: Incident Handling and Response
Implementing an effective incident handling capability, aligned to an incident response plan.
Incident response is integral to the definition, design and development of mission and business processes and systems.
Preparing for effective incident handling means coordinating a number of organisational entities (e.g. mission or business owners, system owners, authorising officials, human resources offices, personnel security offices, physical security offices, operational personnel, legal departments or procurement offices).