By: Val Mahanor, Director, Cybersecurity, RiskRecon By Mastercard

NIST CSF 2.0: Updated Third Party & Supply Chain Risk Management – Part 2

As reviewed in the first blog post, third-party data breaches and security incidents continue to dominate news headlines, highlighting the importance of stronger risk management practices. This is why industry standards like NIST's Cybersecurity Framework (CSF) 2.0 are crucial, as they provide guidance to enhance cybersecurity and third-party risk programs.

This three-part series explores NIST CSF 2.0's supply chain and third-party risk management updates, released in February 2024. In part 2 of the series, we'll dive deeper into how RiskRecon can help align third-party and supply chain risk management to the CSF 2.0 Govern function to enhance your organization’s cybersecurity and third-party risk program.

Missed Part 1? Read it here!

PART 2 - Applying Govern Functions to Supply Chain Risk Management

GV.SC: Cybersecurity Supply Chain Risk Management
To recap, the new GV.SC Category includes 10 supply chain and third-party risk management best practice "Subcategories" which are outcomes organizations can aspire to achieve. Practical implementation examples are supplied by NIST under each subcategory, along with additional cross-reference mappings to other standards and controls including NIST 800-53, 800-171, and Critical Security Controls.

Below is a practical guide and implementation examples to assist your organization in implementing three of the ten Supply Chain Subcategories using the RiskRecon platform. The complete list of subcategories and additional details can be found using the free NIST CSF tool website below:

https://csf.tools/reference/nist-cybersecurity-framework/v2-0/gv/gv-sc/

GV.SC-03

Requirement: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes.

NIST 2.0 Implementation Examples

Identify areas of alignment and overlap with other teams
Include Supply Chain risk awareness to senior leaders and at the enterprise level

RiskRecon Implementation Examples

Real-Time Insights: RiskRecon enables organizations to validate if technical controls are effectively implemented in a supplier's external environment.
Executive Reporting: RiskRecon provides automated risk scoring, benchmarking, and trend analysis, equipping senior leadership with clear, actionable insights into third-party and supply chain cyber risk.
Internal Risk Posture: Organizations can also use RiskRecon to assess their own cyber health, uncover shadow it, and manage internet-facing infrastructure.

GV.SC-06

Requirement: Planning and due diligence are performed to reduce risks before entering formal supplier or other third-party relationships.

NIST 2.0 Implementation Examples

Conduct supplier risk review against business and cyber requirements

RiskRecon Implementation Examples

Automated Assessments: before onboarding a vendor, RiskRecon enables organizations to evaluate the supplier's external security posture more effectively with real-time analytics ensuring their cyber risk aligns with business and compliance requirements.
Vendor Benchmarking: RiskRecon's benchmarking capabilities allow business owners and procurement teams to compare vendor security postures, helping decision-makers select partners with strong cybersecurity hygiene.
Technical Controls: organizations can verify if suppliers have properly implemented security controls in their external and internal environments before signing contracts, reducing the risks associated with poor cybersecurity practices.

NIST Blog post

GV.SC-07

Requirement: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

NIST 2.0 Implementation Examples

Adjust assessment format and frequency based on criticality
Access suppliers over the course of the relationship
Monitor critical suppliers to ensure they are fulfilling security obligations
Monitor for changes to risk profiles and reevaluate criticality and impact accordingly

RiskRecon Implementation Examples

Continuous Supplier Monitoring: RiskRecon provides ongoing visibility into supplier cyber risks, ensuring organizations can detect security gaps and vulnerabilities before they are exploited.
Risk-Based Action Plans: RiskRecon automatically ranks findings based on issue severity and asset value, allowing high-risk vendors to be prioritized and resources to be allocated accordingly.
Tracking Vendor Trends: RiskRecon enables security teams to track changes in vendor cyber health over specified time periods, helping to identify trends, emerging threats, and long-term security performance shifts.

Key Take Aways

As organizations face growing pressure to manage cybersecurity risks, aligning with frameworks like NIST CSF 2.0 helps organizations at various maturity levels to strengthen their third-party risk management programs.

RiskRecon empowers organizations to meet these requirements by delivering accurate, data-driven insights into both external supplier environments and their own digital footprint. With capabilities like continuous monitoring, risk-prioritized action plans, and AI-powered assessments, RiskRecon helps security teams take a proactive and scalable approach to managing third-party risk. RiskRecon's Supply Chain Monitoring and Visualization use-case helps organizations align to the new NIST CSF 2.0, while extending visibility and insight beyond third parties without additional approvals or permissions.