With the increasing use of artificial intelligence (AI), emphasis on cloud-first strategies and rising reliance on third-party services and technologies, organizations must have a defense plan in place to respond to third-party risk. In response to these expected trends, over half (65%) of CISOs have increased their third-party risk management budget this year. The majority have allocated it for a specific solution to third-party threats. But before CISOs jump to invest in these resource-draining tools, they should take a step back and ensure they have done all they can to implement best cybersecurity practices using recommended and trusted frameworks. One of the most popular ones, adopted by organizations of all sizes and across industries, is the NIST Cybersecurity Framework.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework, or the National Institute of Standards and Technology Cybersecurity Framework, is the most common set of standards and guidelines organizations use to manage cybersecurity risk. A set of voluntary standards, the NIST CSF simplifies the steps organizations should take to deliver a process that everyone can use to develop best cyber practices. It was instituted in 2013 by Barack Obama as part of an initiative to strengthen the resilience of critical infrastructure to cybersecurity attacks under Executive Order 13636 and developed by NIST with collaborative workshops, requests for information (RFI), and drafts of both the public and private sectors. The first version was released in February 2014.
The NIST CSF 2.0 was officially released on February 26, 2024, marking the first major update since 2014. The update introduced a new “Govern” function and expanded the framework’s use beyond critical infrastructure, with added emphasis on enterprise-wide risk management and cybersecurity supply chain risk management.
Although it was first used explicitly by critical infrastructures such as healthcare, manufacturing and utilities, the framework has now been voluntarily adopted by leading global organizations of all sizes and industries.
The Foundation: NIST Cybersecurity Framework 800-53
The NIST Cybersecurity Framework is based on the NIST 800-53, a set of comprehensive standards that includes 800 controls developed for U.S. governmental agencies or those doing business with them. With its goal of reducing the risk of cybersecurity attacks to critical infrastructure by safeguarding information systems and improving the confidentiality, integrity and availability of their data, it has become a foundational document for cybersecurity best practices.
The NIST 800-53 was developed in 2002 as part of the E-Government Act, a response to the increasing number of high-profile data breaches and the recognition that more needed to be done to protect government services. It is also known as the NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, aimed to help meet the Federal Information Security Management Act (FISMA) requirements that were a part of the E-Government Act.
How the NIST Cybersecurity Framework Facilitates TPRM
The NIST Cybersecurity Framework includes controls for third-party risk management and the role of each manager across the organization. Not only would managers in the risk and compliance, IT, third-party risk and information security departments better understand their daily role in terms of third-party risk management, but they would also know what they would do in the event of a cybersecurity incident. It does this by offering a structured approach to third-party risk management, with functions, categories and subcategories for organizations to follow with respect to each supplier, contractor, external service, agency or third party.
With the rise of AI vendors and SaaS-based large language model integrations, third-party risk must now account for model training data exposure, API dependencies, and continuous compliance monitoring.
The 6 Functions of the NIST Cybersecurity Framework
The NIST CSF is composed of six functions called the Framework Core. The goal of the Framework Core is to identify the steps organizations need to take to meet different cybersecurity standards and put the required steps into language that can be understood throughout the organization, including non-technical teams.
1. Identify
Organizations must develop a broad approach to cybersecurity that includes asset management, risk assessment, governance and supply chain risk management. This is done with an understanding of the business environment and its risk management strategy.
2. Protect
Organizations must ensure that critical infrastructure is protected through various internal controls such as identity management and access control, awareness and training, and data security. In addition, information security policies should be put in place to protect systems and assets, and they should enforce regular maintenance and the improvement of these controls when necessary. Finally, organizations should integrate protective technology to properly secure systems and assets and facilitate better resilience according to internal processes and agreements.
3. Detect
Organizations must identify security incidents as quickly as possible, whether due to anomalous behavior, investigating events, continuous monitoring and/or other detection processes.
4. Respond
After your organization has been attacked, you’ll need to have a plan and process in place to act quickly and mitigate any impact. This should include response planning, communications, analysis of response, support for recovery, mitigation, and the incorporation of any changes in best practices to improve the process for any future incidents.
5. Recover
Organizations should have a plan in place to recover from any security incidents or data breaches as quickly as possible and ensure business operations. This should include a documented recovery plan and process, continuous improvement and effective communications between the organization and third-party vendors.
6. Govern
Organizations must establish, communicate and continuously improve their cybersecurity risk management strategy, expectations and policies. The Governance function helps define organizational context, clarify roles and responsibilities, guide risk management decisions, enforce cybersecurity policies, provide oversight, and strengthen cybersecurity supply chain risk management. In practice, it ensures cybersecurity is treated as an enterprise-wide business risk, not just an IT issue, and that leadership, legal, compliance, procurement and security teams are aligned in how risk is identified, monitored and addressed. This function is especially important for third-party risk management, where organizations must set clear accountability, governance processes and ongoing review mechanisms for vendors, suppliers and external partners.
The Main Tiers of the NIST Cybersecurity Framework
Not all organizations have the same approach to their cybersecurity. This can be due to resources, education and awareness, and the lack of integration between cybersecurity risk management and operational risk management. Having a standardized approach to cybersecurity for organizations in different stages can help you determine which one you should implement.
The tiers of the NIST CSF function as benchmarks to demonstrate how well organizations are following the framework, in order from lowest to highest (1 being the lowest and 4 being the highest).
Tier 1: Partial
Tier 1 organizations perform cybersecurity risk management in an ad-hoc manner, without a system or process for prioritizing risks. As a result, the risks are challenging to manage and communicate to stakeholders and other managers within the organization. These organizations need to better understand where they fit into the supply chain, digital ecosystem and third-party dependencies so that they can develop a process to prevent these risks from posing a threat to both their organization and all other parties in their supply chain.
Tier 2: Risk Informed
In contrast, Tier 2 organizations have a risk management program in place, but are not standardized across the organization. While they may partially understand where they fit into the larger supply chain, digital ecosystem or third-party dependencies, they don’t fully comprehend it enough to share the information they have or act on it.
Tier 3: Repeatable
Tier 3 organizations have both a risk management program in place and have integrated it across the organization. They both understand where their organization fits into the broader security – the digital supply chain, ecosystem and third-party dependencies – and are aware of the risks posed to both their organization and external parties and have a plan to act on them.
Tier 4: Adaptive
Tier 4 organizations continuously improve their risk management program based on past cybersecurity successes and failures. In addition, they share information with both internal and external stakeholders, and have a standardized process in place so that it can act in real-time on supply chain risks. For these organizations, cybersecurity risk is seen as one part of their approach to integrated risk management.
In 2026, organizations will increasingly integrate CSF tiers with continuous monitoring tools and AI-driven cyber risk scoring systems.
The NIST Cybersecurity Framework Profiles
The NIST Cybersecurity Framework profiles align the functions, categories and subcategories of the NIST CSF based on your organization’s specific needs and risk assessments. Organizations first identify the current profile to understand the controls currently put in place. After analyzing any security gaps in the security posture, they determine a target profile, or what needs to happen to close that gap, in order of priority. After the changes are implemented, the profiles are continuously monitored and updated accordingly.
New in CSF 2.0, profiles can now be developed for specific use cases -such as AI supply chain management, OT/ICS security, or financial sector compliance – and aligned directly with international standards like ISO 42001 (AI Management Systems).
The NIST Cybersecurity Framework 2.0
Since the NIST CSF is a framework that is continuously improved and updated to meet evolving cybersecurity risks, it is open to constant feedback from stakeholders. After more than a decade of the original NIST CSF framework, a sixth function has been added: Govern.
This new function helps to ensure that an organization is reducing cybersecurity risk at the operational, management and strategic levels. It does this by specifying the roles and responsibilities needed to carry out cybersecurity controls, along with the policies and procedures that govern them. The new Govern function also helps organizations align their cybersecurity best practices with enterprise risk management, legal and regulatory requirements, and cybersecurity supply chain risk management. In addition, CSF 2.0 expands the framework’s relevance beyond critical infrastructure to organizations across industries.
How Does AI Impact Third-Party Risk Under the NIST Cybersecurity Framework?
Artificial intelligence is rapidly expanding the scope and complexity of third-party risk. As organizations adopt AI-powered tools, large language models (LLMs) and SaaS-based AI services, they introduce new dependencies on external vendors that may have access to sensitive data, proprietary models or critical systems.
Within the NIST Cybersecurity Framework, AI-related third-party risk is addressed across multiple functions. In the Identify function, organizations must account for AI vendors in their asset inventory and assess risks related to data exposure, model integrity and supply chain dependencies. The Protect function requires implementing controls such as access management, data security and usage policies to prevent unauthorized use of AI systems. Detect emphasizes continuous monitoring for anomalous model behavior, unexpected outputs or signs of compromise in AI-driven services.
The Respond and Recover functions are also critical, as organizations must be prepared to address incidents involving AI vendors, such as data leakage, model manipulation or service outages. This includes having clear communication channels and remediation plans with third parties.
With the addition of the Govern function in NIST CSF 2.0, organizations are better equipped to manage AI-related risks at a strategic level. This includes defining policies for AI usage, assigning ownership for AI risk management, and ensuring alignment with legal, regulatory and ethical requirements.
As AI adoption grows, organizations must continuously reassess their third-party risk management strategies to account for evolving threats, including model training data exposure, API vulnerabilities and the lack of transparency in vendor AI systems. Incorporating AI into NIST CSF-driven processes helps ensure that these risks are managed proactively and consistently across the organization.
How Panorays Helps Manage Third-Party Risk
While the NIST CSF is a comprehensive framework for organizations to start building a cybersecurity strategy that includes third-party risk management, it has limitations. It does not adequately address newly evolving threats or technologies, prioritize different risks, threats, and vulnerabilities, or identify the necessary controls to mitigate or remediate them. As organizations increasingly rely on SaaS applications for various technologies and services, assessing third party risks has become more complex, and organizations rely on various tools to help them. When it comes to third-party risk management tools, there is no magic bullet. But using combinations of tools makes cyber risk management far more effective.
Panorays combines these tools, such as cybersecurity questionnaires, with an external attack surface assessment to deliver a 360-degree cyber rating of your supplier risk. The questionnaires are auto-generated and customized for each supplier based on your organization’s risk appetite, relevant regulations, and each company’s internal policies. Answers are AI-validated, and a series of remediation steps is given so that you can easily work with your third party to close any security gaps. The external attack surface assessment scans thousands of digital assets to reveal Shadow IT, along with fourth and fifth parties in your digital supply chain. It includes an assessment of social media presence, mentions of your vendor on dark web forums or marketplaces, and a comprehensive analysis across networks, applications, IT, and human factors.
Together, the cybersecurity questionnaire and external attack surface assessment provide comprehensive visibility into your third-party risk and a quick and simple method for remediation.
Want to learn more about how you can manage third-party risk across your extended attack surface? Get a demo today.
NIST Cybersecurity Framework FAQs
-
The NIST Cybersecurity Framework is a voluntary set of guidelines, standards and best practices related to cybersecurity for the private sector. Although originally established for organizations working with critical infrastructure and mandatory for U.S. government agencies, it is now used across organizations of all sizes and industries. The original framework includes five core functions: identify, protect, detect, respond and recover, and the latest version includes a sixth: govern.
-
- Identify. Understanding the broad range of cybersecurity risks to the organization, including to its assets, systems, people, data and capabilities, in order to put the proper cybersecurity best practices in place to defend against them.
- Protect. Implements the necessary controls needed to deliver critical infrastructure services.
- Detect. Identify security incidents as quickly as possible through anomalous behavior, investigating events, continuous monitoring and/or other detection processes.
- Respond. Implement a plan and process to quickly respond when an incident does occur and mitigate impact as much as possible.
- Recover. Ensure the business continues its operations through recovery planning, continuous improvement and communications between internal and external parties.
- Govern. Establishes and oversees the organization’s cybersecurity risk management strategy, including defining roles and responsibilities, setting policies, guiding risk-based decision-making, and ensuring alignment between cybersecurity and overall business objectives.
-
The detect function of the NIST Cybersecurity Framework includes:
- Anomalies and events. Check for unusual activity or patterns that might indicate a potential cybersecurity attack.
- Security continuous monitoring. Organizations must continuously monitor information systems and assets to evaluate the effectiveness of current security measures.
- Detection processes. Ensure detection processes are properly maintained and implemented to detect security incidents quickly and effectively.
-
The NIST Cybersecurity Framework is a flexible, risk-based framework that helps organizations identify and manage cybersecurity risk, while ISO 27001 and SOC 2 are more prescriptive standards used for certification or attestation. NIST CSF focuses on guiding cybersecurity strategy and operations, whereas ISO 27001 provides a formal information security management system (ISMS) and SOC 2 evaluates controls related to security, availability and confidentiality. Many organizations use NIST CSF alongside these standards to strengthen their overall security posture.
-
No, the NIST Cybersecurity Framework is voluntary for private sector organizations. However, it is widely adopted and often recommended, especially for organizations working with government entities or critical infrastructure. Some regulatory bodies may also reference NIST CSF as a best practice.
-
Yes, the NIST CSF is designed to complement other frameworks and standards such as ISO 27001, SOC 2 and CIS Controls. Organizations often use it as a high-level framework to align and organize their cybersecurity efforts while mapping it to more detailed or compliance-driven requirements.
-
NIST CSF 2.0 introduces the new Govern function, which strengthens oversight, accountability and alignment between cybersecurity and enterprise risk management. It also places greater emphasis on cybersecurity supply chain risk management, helping organizations better define roles, enforce policies and continuously monitor third-party risk across vendors and partners.
-
One of the main challenges is translating a high-level framework into actionable processes for managing large numbers of vendors. Organizations often struggle with limited visibility into third-party environments, inconsistent vendor assessments and difficulty prioritizing risks. Scaling these processes across complex supply chains can also require significant resources and coordination.
-
Yes, especially in version 2.0, the framework has evolved to better address modern risks such as AI, SaaS and complex supply chains. While it does not prescribe specific controls for every emerging technology, it provides a structure for identifying, managing and monitoring these risks within an organization’s broader cybersecurity strategy.
-
Continuous monitoring plays a critical role in the Detect function and across the entire framework. It enables organizations to identify new vulnerabilities, track changes in third-party risk and respond to threats in real time. Ongoing monitoring helps ensure that security controls remain effective and that emerging risks are addressed proactively.
-
While it is possible to implement NIST CSF manually, most organizations use tools to streamline the process. Tools can help automate vendor assessments, monitor external risk signals, track compliance and provide visibility across the supply chain. This becomes especially important as the number of third-party relationships grows.
-
To scale effectively, organizations need a combination of standardized processes and automation. This includes using consistent assessment frameworks, prioritizing vendors based on risk, automating questionnaires and leveraging continuous monitoring tools. Centralized platforms can help manage vendor data, track remediation efforts and ensure consistent enforcement of security policies across the entire third-party ecosystem.
