Using NIST Cybersecurity Framework to Assess Vendor Security

Vendor due diligence is the process of ensuring that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.

To accomplish this we need to know company details such as ownership specifics, company size, products offered, and headquarters location. We need to understand the company’s financial position, or rather, are they financially stable enough to service your needs for 1-2 years. We need to know if the vendor will do what they promise in terms of reputation via BBB ratings, CFPB complaints, and reference checks. We also need to know how well the vendor is going to protect your data?

Vendors that provide IT Services have additional due diligence requirements. We need to make sure contract language includes the right to audit, data security measures, and data ownership. We need specific security considerations, incident response procedures, and for cloud-based IT service—for which the NIST 800-145 definition is referred to in FFIEC guidance but not really being used in reality—there are additional data security questions that need answers.

Ultimately, we as the people responsible for assessing vendor due diligence, must understand the vendor’s cybersecurity posture. So how do you find that out? You can ask for an audit of their security controls, which typically comes back in the form of an SSAE 16 report.

SSAE 16, if you hadn’t looked it up already stands for “Statement on Standards for Attestation Engagements.”

The SSAE 16 is delivered in the form of Service Organization Controls (SOC) reports. There are several types, but the two most common and important are: SOC 1 Type 2 that reports on the design and effectiveness of internal controls over financial reporting; and SOC 2 Type 2 that reports on the design and effectiveness of trust service principles such as security, confidentiality, and availability.

Not that you have a choice, but in most cases the SOC 2 Type 2 is the best report for assessing Cybersecurity. The SOC 1 report, however, is the most common for reasons I can’t explain.

Because there is discretion as to which and how many of the five (5) Trust Services Principles are actually examined during and reported on during a SOC 2 engagement, not all SSAE 16’s are the same. You have to dig into some details to understand what is being reported.

For example, if an IT Service Provider has SOC audit performed on their corporate network and outsources application development and data center hosting, you’ll essentially be left with a meaningless document.

The ordinary steps to perform SSAE 16 review are:

  • Pinpoint findings without adequate management responses
  • Provide complementary user entity controls to system owner and/or IT

But I don’t want anybody to be ordinary. Get a free copy of our Vendor Cybersecurity Review Template.

To be a vendor Cybersecurity assessment Jedi, use the Framework you must.

  • Review description of system
  • Search for “subservice”
  • Use function, category, or sub-category (depending on your technical expertise and comfort level) to ensure control objectives are covered.

NIST screen shot

Using the partial image above, we could search through the SSAE 16 report in a structured manner using the Framework as a guide.

If we were using the sub-categories of the Framework, we would check the vendor’s report for a control that outlines ‘response plans incorporate lessons learned’ or something very similar. They we would look to see if ‘response strategies are updated.’

Using it in this way to walk through any kind of vendor security audit report, the NIST Cybersecurity Framework provides an excellent framework to work from when reviewing vendor security controls.

Additional Resources

“Technology Service Provider Strategy—The FFIEC’s members will expand their focus on technology service providers’ ability to respond to growing cyber threats and vulnerabilities.”