On February 21, 2024, drug distributor Cencora discovered attackers had been inside its systems stealing patient data it processed for pharmaceutical manufacturer clients. By September, Bloomberg reported the company had paid $75 million to the Dark Angels gang, the largest ransom payment on record.
A NIST vendor risk assessment questionnaire exists to catch that exposure before the contract is signed. Cencora was the vendor in this story: drugmakers including Novartis and Bayer had handed patient support data to a third party whose controls they now had to explain to regulators and patients.
| NIST Vendor Risk Assessment Questionnaire: Key Takeaways |
| Cencora discovered a breach of patient data it processed for drugmaker clients on February 21, 2024, and later paid $75 million, the largest known ransom (Bloomberg). |
| Third-party involvement in breaches doubled from 15% to 30% year over year in Verizon’s 2025 Data Breach Investigations Report. |
| A NIST vendor risk assessment questionnaire maps every question to SP 800-161, CSF 2.0, or the SP 800-53 SR control family, so answers trace to a federal baseline. |
| Run 40 questions across five domains: governance (8), supply chain and fourth parties (8), security controls (10), detection and response (8), resilience (6). |
| Score each answer 0-2 with evidence required; band totals into approved, conditional, remediation required, and do not onboard. |
| Critical vendors reassess annually with a six-month evidence refresh; breaches, ownership changes, and new integrations trigger off-cycle reviews. |
| Questionnaire findings must land in contracts and standing KRIs, or the exercise ends as a form in a folder. |
The timing could not be worse for generic checklists. Verizon’s 2025 Data Breach Investigations Report found third-party involvement in breaches doubled from 15% to 30% in a single year, so the 40 questions below map to NIST SP 800-161 and CSF 2.0, with the evidence to demand for each.
Why a NIST Vendor Risk Assessment Questionnaire Beats a Generic One
Generic questionnaires score the vendor’s paperwork; a NIST vendor risk assessment questionnaire scores the vendor’s controls against a published federal baseline. The difference showed at Cencora, where attacker access to systems holding names, diagnoses, and prescriptions was discovered only after the data was gone.

Figure 1. The Dark Angels gang demanded $150 million; Cencora paid $75 million and booked $31.4 million in breach costs over nine months.
The gap matters at portfolio scale. With 30% of breaches now involving a third party, per the 2025 DBIR, a questionnaire that cannot distinguish a hardened vendor from a lucky one misallocates the assurance budget across hundreds of relationships. Our vendor risk assessment questionnaire template covers the generic layer; this page adds the NIST mapping.
| Dimension | Generic questionnaire | NIST-mapped questionnaire |
| Question source | Vendor marketing or auditor habit | SP 800-161 controls, CSF 2.0 subcategories |
| Answer format | Yes/no attestations | Evidence requests tied to each control |
| Coverage | Security certificates | Governance, supply chain, detection, recovery |
| Scoring | Pass/fail by feel | 0-2 per question against tier thresholds |
| Fourth parties | Rarely asked | GV.SC and SR controls demand flow-down |
| Defensibility | Depends on the drafter | Traceable to a federal baseline |
The Sources Behind the NIST Vendor Risk Assessment Questionnaire
Three documents supply the questions. NIST SP 800-161 Revision 1 is the federal supply chain risk management standard, CSF 2.0 added a dedicated supply chain category in February 2024, and the SP 800-53 SR control family carries the contract-level requirements agencies impose on their own suppliers.
| NIST source | What it covers | What it gives the questionnaire |
| SP 800-161 Rev. 1 | Cybersecurity supply chain risk management practices | The control catalog behind the supply chain and governance blocks |
| CSF 2.0, GV.SC category | Ten supply chain governance subcategories | Supplier inventory, roles, contracts, and offboarding questions |
| SP 800-53 Rev. 5, SR family | Supply chain risk controls for federal systems | Flow-down, provenance, and notification requirements |
| CSF 2.0 core functions | Identify, Protect, Detect, Respond, Recover | The five-domain structure of the 40 questions |
CSF 2.0’s Govern function is the piece most generic questionnaires miss. Its GV.SC category runs ten subcategories from supplier inventory through post-contract offboarding, and our NIST CSF 2.0 changes guide walks the full list. The C-SCRM program guide shows where the questionnaire sits inside the wider program.
The 40-Question NIST Vendor Risk Assessment Questionnaire
Forty questions is deliberate. Below 30, the questionnaire misses whole control families; past 60, vendors route it to a proposal team that answers from a library, and signal drops. The budget below spreads questions across five domains, weighted toward the controls that failed in the incidents above.

Figure 2. Security controls carry ten questions; governance, supply chain, and detection carry eight each; resilience carries six.
Governance Questions in the NIST Vendor Risk Assessment Questionnaire
Governance questions establish who owns security at the vendor and whether that ownership survives staff turnover. GV.SC-01 through GV.SC-04 anchor this set. Weak answers here predicted trouble at every vendor incident in this article, because programs without named owners drift until an attacker finds the gap.
| # | Question | Evidence to request |
| 1 | Who owns cybersecurity at executive level, and how often does the board hear from them? | Org chart, date of last board report |
| 2 | Do you run a documented supply chain risk program aligned to SP 800-161? | Policy extract, last review date |
| 3 | When was your last enterprise security risk assessment, and who performed it? | Assessment summary, assessor credentials |
| 4 | How are employees and contractors screened and security-trained? | Training completion rates, screening policy |
| 5 | What data handling and retention rules apply to customer data? | Data policy, retention schedule |
| 6 | Which regulations bind you for our data (HIPAA, GLBA, NYDFS, DORA)? | Compliance attestations, audit letters |
| 7 | What cyber insurance do you carry, and what does it exclude? | Certificate of insurance, exclusions page |
| 8 | How do security duties flow down to your subcontractors? | Standard flow-down clause, sample contract |
Supply Chain Questions in the NIST Vendor Risk Assessment Questionnaire
Fourth parties broke several recent incidents, including the Drift integration compromise FINRA flagged to member firms. This block makes the vendor name its own critical suppliers, prove flow-down clauses, and disclose concentration. Our fourth-party risk management guide and vendor concentration guide carry the follow-up playbooks.
| # | Question | Evidence to request |
| 9 | Which fourth parties would touch our data or the service we buy? | Named subprocessor list |
| 10 | How do you assess your own critical suppliers? | Their questionnaire or assessment summary |
| 11 | Do you maintain a software bill of materials for products we use? | Current SBOM sample |
| 12 | What concentration risks sit in your supply chain (region, single source)? | Dependency map or narrative |
| 13 | How are open-source components inventoried and patched? | Component policy, scan output |
| 14 | What happens to our data when one of your subcontractors exits? | Offboarding procedure |
| 15 | Have any of your suppliers caused you an incident in 36 months? | Incident summary, remediation taken |
| 16 | How would you notify us of a material subcontractor change? | Contract clause, notice template |
Security Control Questions in the NIST Vendor Risk Assessment Questionnaire
The security block does the heaviest lifting, and it is where yes/no formats fail loudest. Every question in this block demands the artifact, current within twelve months: the patch SLA report, the access recertification, the penetration test summary. Attestation without evidence is how missing MFA on one remote portal stays invisible until it is national news.
| # | Question | Evidence to request |
| 17 | Is MFA enforced on all remote, administrative, and email access? | Configuration evidence, coverage percentage |
| 18 | How is our data encrypted at rest and in transit? | Encryption standards, key management note |
| 19 | What are your patch SLAs for critical vulnerabilities? | Last quarter’s SLA performance report |
| 20 | How is privileged access requested, approved, and recertified? | Last recertification date, PAM tooling |
| 21 | What security logs do you keep, and for how long? | Log retention schedule |
| 22 | How does security enter your development lifecycle? | SDLC gate description, last code audit |
| 23 | How is customer data segregated in multi-tenant systems? | Architecture note |
| 24 | How are secrets, keys, and tokens stored and rotated? | Secrets policy, rotation cadence |
| 25 | What endpoint detection coverage do you run? | EDR coverage percentage, tooling |
| 26 | When was your last independent penetration test, and what was critical? | Test summary, remediation status |
Detection and Response Questions in the NIST Vendor Risk Assessment Questionnaire
Cencora’s notification history is the case for these eight questions. Initial disclosure came within days, but individual notices to affected patients rolled out over months as the scope grew. Ask for the contractual notification clock in hours, the last tested incident response plan date, and the escalation path with names.
| # | Question | Evidence to request |
| 27 | Is security monitoring 24/7, and is it in-house or a provider? | SOC description, provider contract |
| 28 | What were your mean detection and containment times last year? | Metric report |
| 29 | When was the incident response plan last tested with an exercise? | Exercise date, after-action extract |
| 30 | What notification clock will you sign for incidents touching our data? | Contract clause stating hours |
| 31 | Do you keep a digital forensics retainer? | Retainer confirmation |
| 32 | Who decides whether you pay a ransom, and under what governance? | Playbook extract |
| 33 | How do you coordinate with law enforcement and regulators? | Procedure reference |
| 34 | How will you communicate with us during a live incident? | Cadence commitment, named contact |
Resilience Questions in the NIST Vendor Risk Assessment Questionnaire
The last block prices the outage scenario. CDK Global’s June 2024 ransomware outage cost US auto dealers an estimated $1.02 billion in three weeks, per Anderson Economic Group, and none of the roughly 15,000 affected dealerships could influence the vendor’s recovery clock. Demand proof of tested recovery objectives and a written exit plan before signature.
| # | Question | Evidence to request |
| 35 | What are your RTO and RPO for our service, and when were they last proven? | Test report date, results |
| 36 | Are backups isolated or immutable, and how often are restores tested? | Backup architecture, last restore test |
| 37 | What alternate processing exists if your primary site fails? | Disaster recovery summary |
| 38 | Which single points of failure exist (region, data center, key person)? | Dependency disclosure |
| 39 | What exit assistance and data return do you commit to contractually? | Exit clause, destruction certificate |
| 40 | Can your balance sheet fund a long recovery? | Financial statements or credit rating |
Scoring the NIST Vendor Risk Assessment Questionnaire
Score every answer 0, 1, or 2. Zero means no control or no evidence, one means the control exists with gaps or stale evidence, two means current evidence supports the answer. Weight the security and detection blocks at 1.5 for vendors touching regulated data, then band the total.
| Band | Score | Meaning | Action |
| Approved | 85% or more | Controls evidenced and current | Standard contract, annual reassessment |
| Conditional | 65% to 84% | Workable gaps, dated evidence | Remediation milestones written into the contract |
| Remediation first | 40% to 64% | Material control gaps | No onboarding until re-scored |
| Do not onboard | Below 40% | Absent program or refused evidence | Decline or executive risk acceptance |
Tie the bands to consequences the vendor sees in the contract. Conditional approval carries dated remediation milestones, and the supply chain KRI set turns the worst questionnaire findings into standing indicators the risk committee tracks between reassessments. The cyber KRI examples list covers the security block.

Figure 3. The 2025 Verizon DBIR found third-party involvement in breaches doubled to 30%, which is the base rate the scoring bands must price.
Running the NIST Vendor Risk Assessment Questionnaire Process
Reassessment cadence follows the tier you assigned at intake. Critical vendors answer the full 40 questions annually with an evidence refresh at six months, important vendors run the full set every two years with an annual short form, and low-tier vendors answer a 12-question core at onboarding only. The third-party risk management framework sets the tiers.
| Vendor tier | Full questionnaire | Evidence refresh | Off-cycle triggers |
| Critical | Annually | Every 6 months | Breach, ownership change, new integration |
| Important | Every 2 years | Annually (short form) | Breach or material subcontractor change |
| Standard | At onboarding | At renewal | Incident affecting your data |
Contract language makes the answers enforceable. Notification clocks, audit rights, flow-down duties, and exit assistance all move from questionnaire to schedule, the way the DORA third-party register template structures them for EU-regulated firms and the NYDFS Part 500 guide does for New York licensees. SaaS vendors get the cloud-specific set.
Send the questionnaire before the pilot, never after go-live; negotiating power disappears the day the integration ships. Pair questionnaire findings with ongoing performance data from the supplier performance guide, and align program vocabulary with ISO 28000 so procurement and security read the same terms.
Frequently Asked Questions About the NIST Vendor Risk Assessment Questionnaire
What is a NIST vendor risk assessment questionnaire?
A NIST vendor risk assessment questionnaire is a supplier due diligence instrument whose questions map to NIST SP 800-161, CSF 2.0, and the SP 800-53 SR control family. The mapping makes every answer traceable to a federal baseline, which turns vendor review from opinion into an auditable scoring exercise.
How many questions should a NIST vendor risk assessment questionnaire have?
Run 40 questions for critical and important vendors and a 12-question core set for the low tier. Sixty-question monsters buy nothing extra; vendors hand them to a proposal team and the answers converge on boilerplate. Keep 30 as the floor, below which whole control families escape examination.
Does a SOC 2 report replace the NIST vendor risk assessment questionnaire?
No. A SOC 2 Type II report is strong evidence for several security control questions, but its scope is set by the vendor and routinely excludes the subsidiaries, integrations, and data flows that break in real incidents. Use the report as evidence inside the questionnaire, and question everything outside its scope.
How often should the NIST vendor risk assessment questionnaire be reissued?
Reissue annually for critical vendors, every two years for important ones, and at onboarding for the rest. Reassess off-cycle on triggers: a vendor breach or near miss, a change of ownership, a new integration touching your data, or a material subcontractor change. Trigger-driven reassessment catches what calendars miss.
Which publications feed a NIST vendor risk assessment questionnaire?
Three publications carry the load: SP 800-161 Revision 1 for supply chain risk management controls, CSF 2.0 for the GV.SC governance subcategories added in February 2024, and SP 800-53 Revision 5 for the SR control family. Our NIST CSF risk assessment guide shows the same sources applied internally.
Can small vendors realistically complete a NIST vendor risk assessment questionnaire?
Yes, if the tiering is honest. A 20-person vendor with no access to regulated data answers the 12-question core, and reviewers accept compensating controls where formal programs are thin. The evidence bar stays fixed for one thing only: how the vendor stores, segregates, and returns your data.
NIST Vendor Risk Assessment Questionnaire Pitfalls and Remedies
Questionnaire programs fail in predictable ways, and the failures are almost always process failures, with the question wording rarely at fault. The table below pairs the seven most common with remedies drawn from the sections above, so each fix is one click back up the page.
| Pitfall | Root cause | Remedy |
| Attestations accepted without evidence | Reviewer volume pressure | Evidence column enforced for the security block |
| SOC 2 treated as a full pass | Scope misunderstanding | Map the report to questions; probe outside its scope |
| Same depth for every vendor | No tiering model | 40 questions for critical, 12-question core below |
| No off-cycle reassessment | Calendar-only reviews | Breach, M&A, and integration triggers in the contract |
| Answers never reach the contract | Procurement and security split | Notification clocks and audit rights moved to schedules |
| Fourth parties never asked about | Questionnaire stops at tier one | Subprocessor list, flow-down proof, SBOM questions |
| Findings die in a spreadsheet | No monitoring hand-off | Worst findings become standing KRIs with owners |
Looking Ahead: The NIST Vendor Risk Assessment Questionnaire Through 2027
Expect the 30% third-party breach share to keep climbing before it falls. The 2025 DBIR tied the doubling to SaaS concentration and integration sprawl, and nothing in the 2026 incident record suggests the curve has bent. Questionnaire depth is cheap insurance against a worsening base rate.
By 2027, questionnaire exchange will likely be machine-readable. OSCAL, NIST’s open security controls assessment language, already lets vendors publish control catalogs as structured data, and federal agencies are moving assessment artifacts onto it. The 40 questions stay the same while the transport changes.
Regulatory convergence is already visible. DORA’s register of information, NYDFS Part 500’s third-party rules, and the SEC’s cybersecurity disclosure regime all reward firms that can produce vendor assessments on demand, and our DORA versus NIS2 comparison maps the EU side. One questionnaire, mapped once, should feed every regime, with ISO 31000 supplying the risk vocabulary.
Start with the ten vendors that touch your most sensitive data, using the cyber risk management plan to frame the exercise. Issue the 40 questions, demand evidence for the security block, and score honestly; the first round always produces at least one conditional approval nobody expected. That finding, surfaced before renewal, is the questionnaire paying for itself.
Infographic: NIST Vendor Risk Assessment Questionnaire vs Generic

Figure 4. Six dimensions separate a generic checklist from a NIST-mapped questionnaire, from question source through what happens to the findings.
Deploy Your NIST Vendor Risk Assessment Questionnaire With Risk Publishing
We help US compliance and procurement leads at regulated mid-market firms convert this NIST vendor risk assessment questionnaire into a scored, contract-ready program in three working sessions. See what our advisory services cover, then contact us with your vendor inventory; the first session tiers it and drafts the evidence request list.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.