In the IBM NIST and Zero Trust Security Model (ZTSM) training on Thursday, the SMEs stressed the importance for every vendor that works with the organization’s data whether hardware or software to be in compliance with their NIST and ZTSM policies. This includes vulnerability testing. This is new for many OEMs. It was just over a year ago that Microsoft became NIST certified. Most OEMs are not NIST certified. Although the DFARS NIST 800-171 CSF standard for the entire DoD Supply Chain has been required since the beginning of 2018, which pertains to over 300,000 businesses. Some of the companies that are promoting NIST and ZTSM have not passed their own audit yet. So, in the MyRepublic event, it was a third-party vulnerability that caused the breach. To examine your third-party vulnerabilities, start your NIST assessment this week. Have your procurement department request the external CSF certificates and vulnerability reports from your partners.
Then wait………… You will not get many. Professionals know you can do all the testing you want, but if your partner does not have a CSF culture, your network is sunk. So do the assessment this week. And tell your non-certified, non-compliant, non-tested partners they are at risk, and therefore making their your network vulnerable.
A culture to protect client and customer data is first created, then nurtured through training and development, and it is practiced by TechR2 teams in datacenters throughout the world. High technology execution does not happen without hard work.