<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Regulation & Compliance

NIST Cybersecurity Framework Now Includes Supply Chain Risk Management Category

Alex Campanelli | June 15, 2018

Recently, the National Institute of Standards & Technology (NIST), released an updated Version 1.1 of the NIST Cybersecurity Framework that now includes a new category on “Supply Chain Risk Management.”

NIST is a non-regulatory agency of the United States Department of Commerce and is the creator of the NIST Cybersecurity Framework, a voluntary framework consisting of “standards, guidelines, and best practices to manage cybersecurity-related risk.” The framework was first created in 2016 to help “promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”

Though it is not a requirement or regulation, many organizations around the world started leveraging the NIST Framework as a model to help guide them in meeting other cybersecurity requirements and regulations. The inclusion of this new category is indicative of the broader regulatory market, where there has been an increase in requirements around third party (supply chain or vendor) risk management.

This new category not only provides specific guidance to companies to incorporate supply chain risk management into their overall cyber risk management processes, but also reinforces the importance of having a strong third party risk management program in place. The framework recommends that organizations identify the most high risk suppliers, incorporate cybersecurity into contracts with those suppliers, and regularly assess and monitor the cybersecurity posture of those suppliers. Security ratings enable companies do this in an efficient and effective manner.

BitSight Security Ratings for the NIST cybersecurity framework and vendor risk management can help organizations develop and/or mature a third party risk management program, tier their most critical vendors, collaborate with their vendors to reduce ecosystem cyber risk, and provide ongoing monitoring abilities of those partners.

With the ability to drill down into the security details used to generate an organization’s rating, companies can lead intelligent, data-driven conversations with vendors about their security posture to ultimately reduce risk. It also enables them to trust these ratings to monitor cyber risk and make important business decisions, given that BitSight’s data has been independently verified to correlate with data breaches.

New Call-to-action

Suggested Posts

EU NIS Directive: The European Union’s First Cybersecurity-focused Legislation

Last month, the EU NIS Directive (Directive on Security of Network and Information Systems) went into effect. This directive is the first EU-wide piece of legislation specifically focused on cybersecurity. Its goal is to “achieve a high...

READ MORE »

NIST Cybersecurity Framework Now Includes Supply Chain Risk Management Category

Recently, the National Institute of Standards & Technology (NIST), released an updated Version 1.1 of the NIST Cybersecurity Framework that now includes a new category on “Supply Chain Risk Management.”

READ MORE »

How Security Ratings Can Help Organizations Adhere to Hong Kong’s Cybersecurity Guidelines

The implementation of many strict cybersecurity regulations and requirements (including GDPR, NYDFS, and more) continues to increase on a global scale. 2018 has also brought about the continuation of strict cybersecurity regulations in the...

READ MORE »

Subscribe to get security news and updates in your inbox.