What Is NIST 800-161?
With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems?
Over the past decade, enterprise and government specialists have refined the practice of risk management and security-focused on digital supply chain management. To support such efforts, the National Institute of Standards and Technology (NIST) released the newest revision, NIST 800-161, in May 2022.
What Is Supply Chain Risk Management?
A “digital supply chain” is the series of IT systems and infrastructure in which sensitive data is stored, transmitted, and processed. Major enterprise and government operations rely on an increasingly large network of digital service providers, including cloud service providers, app developers and storage providers. They can outsource critical functions like compliance, security, maintenance and development.
This kind of system outsourcing allows agencies and businesses to enjoy several advantages over dedicated or on-premise solutions, including reduced costs, better system management and focused security and compliance teams.
These supply chains also introduce the risk potential, however. Threats against vendors, vulnerabilities from interacting systems and the opening of risks through insider threats are all part and parcel of supply chain risk. It is up to your organization to manage that risk as it pertains to your data.
Therefore, supply chain risk management is a discipline of understanding risks introduced via vendor relationships. Because there are so many systems, people and technologies in place, it can be difficult to address these risk and security issues without some guidance or a framework. In fact, many organizations that attempt ad hoc risk management for their vendor relationships tend to struggle without an overall approach or framework in place.
What Is NIST 800-161?
To help government agencies and related organizations better manage their supply chain risk, NIST released Special Publication 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” This document provides guidance for these organizations to implement enterprise-wide risk management that encompasses their digital supply chain.
At the heart of this approach is the mapping of several steps that constitute a larger, iterative process of risk assessment:
- Framing Risk: Establishing contexts for risk and risk-based decisions based on the state of IT systems, including those integrated through a third-party provider.
- Assessing Risk: Reviewing threats, vulnerabilities, impacts and attack-related information within the framing context.
- Responding to Risk: Determining appropriate policies, controls, security measures and administrative procedures to adequately react to assessed risk.
- Monitoring Risk: Monitor the effectiveness of risk responses, security measures and management policies on an ongoing basis.
With these in mind, it’s critical to understand exploitable weaknesses in a supply chain system–no simple task, no matter how simple it seems when broken down into the above steps. NIST 800-161 recommends breaking down potential risks into a series of categories:
- Adversarial Threats: Actual, intended attacks that include espionage, malware, etc. These threats stem from concerted attempts to steal data or disrupt the system, often associated with independent or state-sponsored hackers, thieves or other malicious entities.
- Non-Adversarial Threats: Natural disasters, system or service failure (bugs, hardware failure) or regulations that hinder effective security measures and responses.
- External Vulnerabilities: These are vulnerabilities (based on the threats listed above) introduced by other parties in the supply chain–third-party vendors, cloud providers, etc.
- Internal Vulnerabilities: Vulnerabilities introduced from failures in internal IT systems, including unpatched software or a lack of compliant or effective security controls.
While these categories are rather broad, they help you frame the context necessary to begin understanding where potential threats come from. Your organization can implement critical risk management strategies from these, including assigning proper roles and responsibilities, crafting data governance policies, and integrating ongoing risk assessment across your organization.
Finally, NIST 800-161 provides an extensive list of potential security controls that organizations should implement as part of their management process’s “respond to risk” phase. These controls are derived from NIST SP 800-53, a core set of guidelines covering relevant security controls that organizations can use for security and risk assessment.
These controls include larger control families like:
- Access Control: Managing user access to resources based on organizational roles or other factors.
- Awareness and Training: Policies and procedures around creating a workforce versed in security and compliance guidelines, including the management of information and secure interaction with vendors.
- Audit and Accountability: Procedures used by the organization to audit vendor relationships and supply chain interactions, including securing external systems and devices and assigning accountability for such security to relevant parties.
- Assessment, Authorization and Monitoring: Continued assessments and monitoring of interacting systems to determine proper authorization between these systems (including who or what can enter their perimeter.
- Configuration Management: Inventory security systems and controls and ensure proper configuration. This includes having written accountability for third-party vendors in managing system configurations for connected infrastructure.
- Contingency Planning: Creating, maintaining and implementing plans for security events, disaster response or backup operations. This can also include lining up alternative service providers if a critical partner is compromised.
- Identification and Authentication: Ensuring that your systems, and those of vendors, maintain proper authentication and identity management, including multifactor authentication, hardware device management and secure identity verification.
- Incident Response: Preparing your organization to respond to security events related to vendor incidents and maintaining expectations for how vendors in your supply chain respond to those same incidents.
- Maintenance: Controlling procedures around how you and your third-party vendors maintain security and IT system operations.
- Media Protection: Policies and technologies around protecting sensitive data on physical media, including secure storage and transportation, as well as sanitation and destruction after use.
- Physical and Environmental Protection: How you and your vendors limit physical access to IT systems, including the use of security access (guards, required check-ins, automated locks) and monitoring (security cameras).
- Program Management: The programs and policies around supply chain management, including the assignment of roles and responsibilities, funding sources, inventories and plans or action and milestones (POA&M).
- Personnel Security: Includes employee and vendor screening, mutual access agreements with vendors, and security around the guest and third-party system access.
- Personal Identifiable Information (PII) Processing: Literally, transparency controls around PII processing in your and vendor systems.
- Risk Assessment: The overall assessment of risk across the supply chain, including categorizing security threats, outlining mitigation efforts and monitoring ongoing vulnerabilities and threats.
- System and Services Acquisition: The overall policies and procedures around working with vendors in the supply chain, including procedures for obtaining services and applications, hardware and working with service providers.
Enact Comprehensive Risk Management with Lazarus Alliance
Risk assessment, especially over the supply chain, is an ongoing and difficult process. Determining the right way to address all the potential risks in the supply chain can prove beyond the capabilities of even the largest enterprise.
With expert risk assessment and compliance from Lazarus Alliance, you can count on structured, effective and automated risk monitoring and management across your internal systems and your supply chain.
Lazarus Alliance utilizes the Continuum GRC Risk Assessment and Management SaaS. It is the only FedRAMP and StateRAMP Authorized solution in the world.
Ready to Start with Your Supply Chain Risk Management?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.