Headshots-BW-Steve By: Steve Tobias, CISSP, CISM, CTPRP, Lead Customer Success Advisor, RiskRecon by Mastercard

NIST CSF 2.0: Updated Third Party & Supply Chain Risk Management 

Third-party data breaches and security incidents continue to dominate news headlines, with 32% of publicly reported breaches now resulting from a compromised third-party (1). Utilizing standards and frameworks can greatly assist with effectively monitoring and managing third-party risk.

The National Institute of Standards and Technology (NIST) released an update to its popular Cyber Security Framework (CSF) in February of 2024. The NIST CSF is a voluntary set of standards, guidelines, and best practices to help organizations manage cybersecurity risk. In this three-part series we will explore updated supply chain and third-party cybersecurity risk management guidance of NIST CSF 2.0 that any organization can use to implement and mature a Third-Party Risk Management program.

PART 1

What is the NIST CSF and what changed?
Originally created in 2014 following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk and provide guidance based on established standards and best practices. The NIST CSF is a valuable tool for any organization seeking to evaluate and improve their cybersecurity posture. The CSF is a voluntary set of guidelines, practices and controls to help organizations of any size, sector or program maturity manage their cyber and supply chain risk, enhance their protection against cyber threats and improve their overall cybersecurity program. It describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because every organization will require a unique strategy, the CSF 2.0 framework is not prescriptive, but rather describes desirable outcomes an organization can aspire to achieve and provides guidance and recommendations for practices and controls that can be used to meet those outcomes.

NIST Cybersecurity Framework

The CSF 2.0, along with NIST’s supplementary resources and informative references, can be used by any organization to understand, assess, prioritize, and communicate cybersecurity risks, improving cybersecurity, supply chain and third-party risk programs as well as integrate with broader risk management strategies.

How is the NIST CSF 2.0 organized?
The CSF 2.0 is a comprehensive collection of guidelines, practices and controls divided into six Functions: Govern, Identify, Protect, Detect, Respond, and Recover – briefly summarized below.

Cybersecurity Framework Core

  • Govern (GV)The organization’s cybersecurity & supply chain risk management strategy, expectations, and policy are established, communicated, and monitored.

  • Identify (ID)Understanding the organization’s assets, suppliers, and related cyber risks.

  • Protect (PR)Safeguards to manage the organization’s cybersecurity risks are used. 

  • Detect (DE)Possible cybersecurity attacks and compromises are found and analyzed.

  • Respond (RP)Actions regarding a detected cybersecurity incident are taken.

  • Recover (RC)Assets and operations affected by a cybersecurity incident are restore.

These Functions together with their associated Categories and Subcategories comprise the CSF Core and detail desired outcomes, practices, and guidelines that can provide a comprehensive view for managing cybersecurity, third-party and supply chain risk.

What changed: New Supply Chain & Third-Party Risk Components of NIST CSF 2.0
The GOVERN (GV) Function is new with the NIST CSF 2.0, 2024 release. Some updated Categories under GV include Risk Management, Policy, Oversight and Cybersecurity Supply Chain Risk Management.

GOVERN (GV) Function

The new GOVERN (GV) function can help guide the overall implementation of the NIST CSF. The addition of Governance aims to improve the operationalization of risk management and decision-making through the inclusion executive leadership and other business functions beyond just CISO or CSO. NIST CSF 2.0 documentation below highlights the incorporation of supply chain & third-party risk management as part of the new GOVERN (GV) Function.

  • GOVERN (GV)The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. The GOVERN Function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategy. GOVERN addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy

GV.SC: Cybersecurity Supply Chain Risk Management
The new GV.SC Category includes (10) supply chain & third-party risk management best practice “Subcategories” which are outcomes organizations can aspire to achieve. Practical implementation examples are supplied by NIST under each Subcategory, along with additional cross reference mappings to other standards and controls including NIST 800-53, 800-171 and Critical Security Controls. The (10) Supply Chain Subcategories are:

  • GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

  • GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

  • GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes

  • GV.SC-04: Suppliers are known and prioritized by criticality

  • GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

  • GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

  • GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

  • GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

  • GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

  • GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

Practical Implementation Examples
A few NIST CSF supply chain Practical Implementation examples are list below. The full listing and details can be accessed using the free NIST CSF tool website link here: https://csf.tools/reference/nist-cybersecurity-framework/v2-0/gv/gv-sc/.

GV.SC-5: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

Implementation Examples:

  • Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised
  • Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised
  • Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle

GV.SC-7: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

Implementation Examples:

  • Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation
  • Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly
  • Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity


Key Take Aways
NIST CSF 2.0 includes a wealth of guidance and best practices to build, evaluate and strengthen third-party and supply chain risk management programs. Leverage the free NIST CSF tool to explore NIST CSF 2.0 guidance, profiles, tiers, implementation examples, and informative references to other standards and best practices.

A few important Govern Function components include:

  • Understand and assess specific cybersecurity needs
    “Determine your organization’s unique risks and needs. Discuss the current and predicted risk environment and the amount of risk your organization is willing to accept.”
  • Develop a cybersecurity risk strategy
    “This should be based on your organization’s specific cybersecurity objectives, the risk environment etc.”
  • Implement continuous oversight and checkpoints
    “Analyze risks at regular intervals and monitor them continuously.”
  • Establish and monitor cybersecurity supply chain risk management
    “Establish strategy, policy, and roles and responsibilities — including for overseeing suppliers, customers, and partners.” 

In Part 2 of this series, we will dig deeper into how RiskRecon can help with third-party and supply chain risk management CSF GV.SC components to enhance your organization’s cybersecurity and third-party risk program and drive better business outcomes in an increasingly uncertain world.

To learn more about RiskRecon, schedule a demo today!

Additional Resources
The Power of Risk Ratings Platforms
https://blog.riskrecon.com/the-power-of-risk-ratings-platforms-driving-better-risk-decisions

How to Build a Cyber Risk Management Program
https://b2b.mastercard.com/news-and-insights/blog/how-to-build-a-cyber-risk-management-program/

NIST CSF
https://www.nist.gov/cyberframework

NIST CSF Quick Start Guides
https://www.nist.gov/quick-start-guides

NIST CSF Tool
https://csf.tools/reference/nist-cybersecurity-framework/v2-0/

NIST CSF Resource Guide
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1299.pdf