Skip to content
Home / Function (NIST CSF 2.0) / GV - Govern

SC – TPRM

NIST CSF Category GV.SC
In Third-Party Risk Management (TPRM), normative documents are essential for systematically assessing and mitigating risks introduced by vendors, suppliers, and service providers. Standards such as ISO/IEC 27036 (information security for supplier relationships) and guidance from NIST SP 800-161 provide frameworks for evaluating third-party security controls, contractual obligations, and ongoing monitoring. Regulatory bodies and laws, including the EU NIS2 Directive and U.S. regulations like FFIEC IT Examination Handbook for financial institutions, require organizations to manage vendor risks to protect sensitive data and ensure service reliability. By adhering to these standards and regulations, organizations can enforce consistent security expectations, reduce exposure to supply chain threats, and maintain compliance with legal and industry requirements.

NIST SP 800-18 Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

NIST SP 800-18 Revision 2, “Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems,” provides a structured framework for creating comprehensive security plans for federal information systems,… Read More »NIST SP 800-18 Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

NIST SP 800-161 Rev. 1, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations,” offers comprehensive guidance for organizations to identify, assess, and mitigate cybersecurity risks across their… Read More »NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations