Practical Steps for Applying NIST CSF 2.0 to Third-Party Risk Management

Third-party risk is no longer just an operational concern—it’s a strategic issue that impacts business performance, customer trust, and organizational resilience. A recent Gartner survey revealed that 45% of organizations experienced third-party related business interruptions over the past two years, underscoring the critical need for stronger third-party risk management (TPRM).

The 2024 release of the NIST Cybersecurity Framework (CSF) 2.0 introduces a game-changing opportunity to rethink TPRM. The new Govern (GV) Function shifts the focus from reactive compliance to proactive governance, emphasizing the integration of cybersecurity into enterprise risk management (ERM). This alignment empowers organizations to elevate their risk management strategies while addressing the growing complexity of supply chains and vendor ecosystems.

But adopting NIST CSF 2.0 isn’t just about checking boxes—it’s about transforming how businesses approach third-party risks. By focusing on actionable outcomes, organizations can embed cybersecurity into their overall risk strategy, ensuring measurable improvements in performance, resilience, assurance, and compliance—what I call the PRAC objectives. These objectives, derived from hundreds of client engagements and in-depth research, have proven universally relevant across industries, geographies, and company sizes.

NIST CSF 2.0 and the Govern Function: Addressing Third-Party Risks

The Govern Function in NIST CSF 2.0 provides guidance for embedding cybersecurity into enterprise governance frameworks. It calls for collaboration across business units, executive oversight, and alignment with ERM strategies. For third-party risk management, the Govern Function outlines several critical practices, such as:

• Establishing supply chain risk management strategies and objectives (GV.SC-01).
• Integrating third-party risk management into ERM and improvement processes (GV.SC-03).
• Monitoring supplier risks throughout the vendor relationship lifecycle (GV.SC-07).
• Including suppliers in incident response and recovery planning (GV.SC-08).

These practices align third-party risk management with enterprise-wide governance, providing a roadmap for integrating cybersecurity into decision-making and operations.

PRAC: A Universal Model for Risk Management Success

Based on extensive research and real-world interactions, I developed the PRAC objectives—Performance, Resilience, Assurance, and Compliance—as a blueprint for organizations to achieve meaningful, scalable risk management outcomes. These objectives provide a pragmatic way to operationalize NIST CSF 2.0 controls and are relevant for businesses of any size, industry, or geography.

Performance

Performance is about ensuring that third-party risk management efforts contribute to organizational success. Instead of treating TPRM as a back-office function, organizations can take the following steps to maximize its value:

• Identifying critical vendors and prioritizing cybersecurity efforts based on their importance to business operations (GV.SC-04).
• Using the right tools to track vendor performance against contractual security requirements and SLAs (GV.SC-05).
• Leveraging dashboards and analytics to measure vendor risk performance in real time.

Resilience

Resilience goes beyond surviving disruptions; it’s about thriving despite them. To enhance resilience, organizations should:

• Monitoring vendors for changes in their security postures and reassessing risks as needed (GV.SC-07).
• Including key suppliers in business continuity and disaster recovery plans (GV.SC-08).
• Automating the detection of third-party vulnerabilities to enable proactive risk mitigation.

Assurance

Assurance provides stakeholders with the confidence that risks are effectively managed, fostering trust across the organization and with external partners. Organizations can build assurance by:

• Documenting vendor risk assessments and security audits to demonstrate due diligence (GV.SC-06).
• Generating reports that align with NIST CSF 2.0, NIST SP 800-53, and other regulatory standards.
• Offering transparency into third-party risk activities through centralized risk dashboards.

Compliance

Compliance ensures adherence to both regulatory requirements and contractual obligations, minimizing exposure to legal or reputational risks. To streamline compliance:

• Automating the inclusion of cybersecurity requirements in vendor contracts (GV.SC-05).
• Mapping risk management activities to industry standards like NIST CSF 2.0.
• Streamlining regulatory reporting with real-time access to compliance metrics.

Practical Steps for Applying NIST CSF 2.0 

To operationalize NIST CSF 2.0 controls for third-party risk management, organizations should follow these practical steps:

1. Build a Unified Governance Framework: Integrate third-party risk management with GRC and ERM processes. Establish clear roles, policies, and strategies for managing vendor risks across the organization.
2. Prioritize Critical Vendors: Leverage the Identify (ID) Function to classify suppliers by their criticality and risk impact. The right platforms can automate this process, ensuring that resources are allocated efficiently.
3. Implement Continuous Monitoring: Deploy the right tools to monitor supplier risks in real time, using threat intelligence and automated risk scoring to detect vulnerabilities early.
4. Incorporate Vendors in Incident Response Plans: Collaborate with critical suppliers on joint incident response and recovery strategies. Document and regularly test these plans.
5. Measure and Report Risk Outcomes: Use analytics to track PRAC metrics and communicate these results to executives, boards, and regulators, demonstrating the value of integrated third-party risk management.

Transform TPRM into a Proactive, Value Driven Practice

The updated NIST CSF 2.0 framework provides a clear roadmap for integrating cybersecurity into enterprise governance, especially when managing third-party risks. By aligning with the Govern Function and focusing on the PRAC objectives, organizations can transform TPRM into a proactive, value-driven capability that drives performance, builds resilience, inspires stakeholder confidence, and ensures compliance. Organizations that embrace this integrated approach position themselves not just to mitigate risks but to seize opportunities for innovation and growth in an increasingly interconnected world.

About the authors

John A. Wheeler is the founder and CEO of Wheelhouse Advisors, and former Senior Advisor, Risk and Technology for AuditBoard. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.