Choosing Better Vendors: How NIST RMF Can Help You Manage IT Risks

In the past year, vendors providing technology to government organizations and contractors have fallen under scrutiny. In May, President Trump signed executive order (EO) 13873, which bans organizations in the U.S from using products produced by companies considered a “national security threat”. This followed concerns that Chinese telecom-giant Huawei could be using its products to spy on the government.

Although Huawei may or may not have used its technology to gather U.S intelligence, it’s far from outside the realm of possibility: compromised information and communications technology (ICT) products are on the list of risks provided by the National Institute of Standards and Technologies (NIST) in special publication (SP) 800-37. The duty falls on organizations to avoid these risks by vetting their partners carefully.

Fortunately, the NIST risk management framework (RMF) provides several principles which organizations can follow to choose better vendors and keep vulnerable technology out of their IT infrastructure. In this article, we’ll review them.

SCRM Principles

The NIST RMF provides a detailed framework used by technology administrators to define, assess, report, and manage security risks in a federal context. Risks posed by vendors are specifically addressed under “Supply Chain Risk Management” (SCRM) and covered in greater detail by NIST SP 800-161. The most serious ones include:

• Counterfeits and unauthorized production
• Inclusion of malicious software or hardware
• Poor manufacturing and development practices
• Failure to include security or privacy capabilities

While risk can never be fully eliminated from an organization, it can be managed to reduce the likelihood of threat events, such as data theft, system failure or a cyberattack. With that in mind, here are five tips for choosing low-risk vendors: 

1. Ensure Business Integrity

A good vendor is first and foremost a good business. Organizations should be able to depend on them for support, high standards of development, and rapid service during the lifetime of a warranty.

Government vendors are already required to demonstrate competent business practices through the GSA’s vendor certification program. Beyond that, make sure that an ICT vendor demonstrates growth and a history of successful contracts.

2. Ensure Product Quality

For the moment, there is no one-size-fits-all standard for ICT products. But depending on an organization’s needs, seeking external validation can show that a product meets security standards of varying rigor.

NIST suggests a range of certifying bodies including the National Information Assurance Partnership (NIAP), International Organization for Standardization (ISO) and Open Group Trusted Technology Forum (OTTF).

Of these standards, NIAP is probably the most useful generalized certification available today. It shows that a product meets U.S cryptography standards covered by FIPS in addition to the international Common Criteria for IT Security Evaluation.

3. Avoid End-of-Life Products

There is nothing that prevents a government organization from acquiring used technology, and it may wish to do so as a cost-saving measure. But if an ICT product has reached the end of its service life, it may not receive new software updates to remove vulnerabilities or bugs as they are discovered.

Before doing business with any vendor, make sure that their products are still current, and will not be retired in the near future.

4. Verify Security Controls

The NIST RMF stipulates that organizations should select security controls to mitigate risks. While some of these controls are mandatory, most of them are chosen at an organization’s discretion. This leaves them responsible for ensuring that the required controls can be implemented on ICT products. If it’s unclear whether they can, then an organization should contact the vendor in advance.

5. Assess for Compromise

After new technology is acquired, an organization should conduct their own tests to ensure that it is free from malware, manufacturing defects and suspicious components. It should also confirm that any firmware or operating system running on the device is updated and validate that all features advertised by the vendor are indeed present and functional.

6. Diversify IT Portfolio

The authors of NIST RMF point out that “Supply chain risks can be endemic or systemic within a system element, system, [or] organization”. In the case of systemic risk, overdependence on a single vendor can amplify that risk significantly. Government organizations should therefore heed the old proverb: “don’t put all your eggs in one basket” when building ICT systems and infrastructure.

Who is Responsible for Risk?

Next year, the Cybersecurity Maturity Model Certification (CMMC) will go into effect, requiring government vendors to meet a basic standard for cybersecurity controls. While this will make it easier to vet vendors, it will neither eliminate risks from the ICT supply chain nor will it change the fact that organizations are liable for the risks they undertake.

According to the NIST RMF, “Organizations are responsible and accountable for the risk incurred when using…products, systems, and services [from external providers]”. This rule holds true both on principle and in the real world. In the case of a threat event, the targeted organization – not the vendor – will be blamed and held accountable.

Risk Management Software

Keep your information all in one place and conduct risk assessments with peace of mind. MathCraft’s Access Commander is an all-in-one risk compliance solution for FSOs and government partners. Our Risk Management Framework (RMF) module provides a comprehensive platform for RMF Assessment and Authorization. Take proactive steps to protect your organization today.