Site icon

What Is NIST 800-161?

NIST 800-161 featured

With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems?

Over the past decade, enterprise and government specialists have refined the practice of risk management and security-focused on digital supply chain management. To support such efforts, the National Institute of Standards and Technology (NIST) released the newest revision, NIST 800-161, in May 2022. 

 

What Is Supply Chain Risk Management?

A “digital supply chain” is the series of IT systems and infrastructure in which sensitive data is stored, transmitted, and processed. Major enterprise and government operations rely on an increasingly large network of digital service providers, including cloud service providers, app developers and storage providers. They can outsource critical functions like compliance, security, maintenance and development. 

This kind of system outsourcing allows agencies and businesses to enjoy several advantages over dedicated or on-premise solutions, including reduced costs, better system management and focused security and compliance teams. 

These supply chains also introduce the risk potential, however. Threats against vendors, vulnerabilities from interacting systems and the opening of risks through insider threats are all part and parcel of supply chain risk. It is up to your organization to manage that risk as it pertains to your data. 

Therefore, supply chain risk management is a discipline of understanding risks introduced via vendor relationships. Because there are so many systems, people and technologies in place, it can be difficult to address these risk and security issues without some guidance or a framework. In fact, many organizations that attempt ad hoc risk management for their vendor relationships tend to struggle without an overall approach or framework in place. 

 

What Is NIST 800-161?

To help government agencies and related organizations better manage their supply chain risk, NIST released Special Publication 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” This document provides guidance for these organizations to implement enterprise-wide risk management that encompasses their digital supply chain. 

At the heart of this approach is the mapping of several steps that constitute a larger, iterative process of risk assessment:

With these in mind, it’s critical to understand exploitable weaknesses in a supply chain system–no simple task, no matter how simple it seems when broken down into the above steps. NIST 800-161 recommends breaking down potential risks into a series of categories:

While these categories are rather broad, they help you frame the context necessary to begin understanding where potential threats come from. Your organization can implement critical risk management strategies from these, including assigning proper roles and responsibilities, crafting data governance policies, and integrating ongoing risk assessment across your organization. 

Finally, NIST 800-161 provides an extensive list of potential security controls that organizations should implement as part of their management process’s “respond to risk” phase. These controls are derived from NIST SP 800-53, a core set of guidelines covering relevant security controls that organizations can use for security and risk assessment. 

These controls include larger control families like:

Enact Comprehensive Risk Management with Lazarus Alliance

Risk assessment, especially over the supply chain, is an ongoing and difficult process. Determining the right way to address all the potential risks in the supply chain can prove beyond the capabilities of even the largest enterprise. 

With expert risk assessment and compliance from Lazarus Alliance, you can count on structured, effective and automated risk monitoring and management across your internal systems and your supply chain. 

Lazarus Alliance utilizes the Continuum GRC Risk Assessment and Management SaaS. It is the only FedRAMP and StateRAMP Authorized solution in the world.

Ready to Start with Your Supply Chain Risk Management?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version