NIST had five core functions: Identify, Protect, Detect, Respond, and Recover. But with the unveiling of NIST 2.0 another function has been added: Govern.
This new function of “Govern” is crucial for organizations, as it involves establishing and monitoring cybersecurity risk management strategies, expectations, and policies. This function also shines a light on supply chain risk management.
NIST 2.0 tackles the escalating concerns surrounding third-party risks by highlighting the security gaps often found in supply chains and the necessary actions needed to secure organizations. The framework empowers organizations to effectively manage these risks and enhance the security of their supply chains by offering clear guidelines:
- A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders.
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally.
- Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
- Suppliers are known and prioritized by criticality.
- Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties.
- Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships.
- The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship.
- Relevant suppliers and other third parties are included in incident planning, response, and recovery activities.
- Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle.
- Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement.
With VISO TRUST, artifact-based third party risk assessments are performed leveraging 30+ frameworks and standards, including NIST C-SCRM to provide coverage on supply chain risks, in addition to existing coverage for security, privacy, resilience and more.
VISO TRUST aims to streamline Third-Party Risk Management (TPRM) processes and delivers invaluable insights into risk acceptance, capacity, and robust protocols to address vulnerabilities head-on. Our platform provides extensive risk insights to support well-informed decisions, seamless evaluation of vendors via streamlined due diligence processes, and an automated security posture assessment with Artificial Intelligence.
Empower your organization to reduce supply chain risk. Explore our Solution Brief to take charge and be proactive!
Dive into the game-changing features of the all-new NIST CSF 2.0 Framework with VISO TRUST by your side!