Purpose
To protect state data, systems, and supply chain information and communications technology (ICT) through third-party risk management (TPRM).
Standard
North Dakota state government branches, agencies, and entities are required to ensure that any IT procurements that involve a vendor handling, storing, and/or transmitting state data undergo a NDIT third-party assessment.
- Third-Party Risk Assessment:
Third-party risk assessments, also known as supply chain risk assessments, provide organizations with visibility into supply chain risks and allows organizations to respond appropriately to any identified risk.
Any organization IT procurement is required to be integrated into the State’s Third-Party Risk Management (TPRM) and undergo a risk assessment. Continuous risk assessments will occur, as needed.
Definitions
Information and Communications Technology – Encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.
Supply Chain – Organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations, and maintenance, and/or disposal of systems and system components. Also, referred to as third-party vendor management.
Supply Chain Risk Management – A systematic process for managing exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures.
Supply Chain Risk Assessment – A systematic examination of cybersecurity risks throughout the supply chain, likelihoods of their occurrence, and potential impacts.
Policy
To provide security and privacy best practices for third-party vendor management.
Scope
This standard applies to all executive branch state agencies including the University Systems Office but excluding other higher education institutions, i.e., campuses and agricultural and research centers.
State of Commitment
North Dakota's CIO/CTO directs that IT Policy be created to establish statewide information technology policies and standards as defined within ND Century Code (Chapter 54-59-09). Policy and standards for procurement by state agencies should also be established following ND Century Code (Chapter 54-59-05) .
Non-Compliance
Non-compliance with this standard shall be reported to the Office of the State Auditor.
Resources
- National Institute of Standards and Technology (NIST)
- NIST Special Publication (SP) 800-161 Revision 1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
- NIST Cybersecurity Supply Chain Risk Management (C-SCRM)
Revision Table
Date | Authored by | Approved by | Version | Description of Change |
06/13/2023 | Kathleen Peery | NDIT Management | 1.0 | Initial Creation of Standard |