On February 21, 2024, drug distributor Cencora discovered attackers had been inside its systems stealing patient data it processed for pharmaceutical manufacturer clients. By September, Bloomberg reported the company had paid $75 million to the Dark Angels gang, the largest ransom payment on record.

A NIST vendor risk assessment questionnaire exists to catch that exposure before the contract is signed. Cencora was the vendor in this story: drugmakers including Novartis and Bayer had handed patient support data to a third party whose controls they now had to explain to regulators and patients.

NIST Vendor Risk Assessment Questionnaire: Key Takeaways
Cencora discovered a breach of patient data it processed for drugmaker clients on February 21, 2024, and later paid $75 million, the largest known ransom (Bloomberg).
Third-party involvement in breaches doubled from 15% to 30% year over year in Verizon’s 2025 Data Breach Investigations Report.
A NIST vendor risk assessment questionnaire maps every question to SP 800-161, CSF 2.0, or the SP 800-53 SR control family, so answers trace to a federal baseline.
Run 40 questions across five domains: governance (8), supply chain and fourth parties (8), security controls (10), detection and response (8), resilience (6).
Score each answer 0-2 with evidence required; band totals into approved, conditional, remediation required, and do not onboard.
Critical vendors reassess annually with a six-month evidence refresh; breaches, ownership changes, and new integrations trigger off-cycle reviews.
Questionnaire findings must land in contracts and standing KRIs, or the exercise ends as a form in a folder.

The timing could not be worse for generic checklists. Verizon’s 2025 Data Breach Investigations Report found third-party involvement in breaches doubled from 15% to 30% in a single year, so the 40 questions below map to NIST SP 800-161 and CSF 2.0, with the evidence to demand for each.

Why a NIST Vendor Risk Assessment Questionnaire Beats a Generic One

Generic questionnaires score the vendor’s paperwork; a NIST vendor risk assessment questionnaire scores the vendor’s controls against a published federal baseline. The difference showed at Cencora, where attacker access to systems holding names, diagnoses, and prescriptions was discovered only after the data was gone.

NIST Vendor Risk Assessment Questionnaire: 40 Mapped Questions

Figure 1. The Dark Angels gang demanded $150 million; Cencora paid $75 million and booked $31.4 million in breach costs over nine months.

The gap matters at portfolio scale. With 30% of breaches now involving a third party, per the 2025 DBIR, a questionnaire that cannot distinguish a hardened vendor from a lucky one misallocates the assurance budget across hundreds of relationships. Our vendor risk assessment questionnaire template covers the generic layer; this page adds the NIST mapping.

Dimension Generic questionnaire NIST-mapped questionnaire
Question source Vendor marketing or auditor habit SP 800-161 controls, CSF 2.0 subcategories
Answer format Yes/no attestations Evidence requests tied to each control
Coverage Security certificates Governance, supply chain, detection, recovery
Scoring Pass/fail by feel 0-2 per question against tier thresholds
Fourth parties Rarely asked GV.SC and SR controls demand flow-down
Defensibility Depends on the drafter Traceable to a federal baseline

The Sources Behind the NIST Vendor Risk Assessment Questionnaire

Three documents supply the questions. NIST SP 800-161 Revision 1 is the federal supply chain risk management standard, CSF 2.0 added a dedicated supply chain category in February 2024, and the SP 800-53 SR control family carries the contract-level requirements agencies impose on their own suppliers.

NIST source What it covers What it gives the questionnaire
SP 800-161 Rev. 1 Cybersecurity supply chain risk management practices The control catalog behind the supply chain and governance blocks
CSF 2.0, GV.SC category Ten supply chain governance subcategories Supplier inventory, roles, contracts, and offboarding questions
SP 800-53 Rev. 5, SR family Supply chain risk controls for federal systems Flow-down, provenance, and notification requirements
CSF 2.0 core functions Identify, Protect, Detect, Respond, Recover The five-domain structure of the 40 questions

CSF 2.0’s Govern function is the piece most generic questionnaires miss. Its GV.SC category runs ten subcategories from supplier inventory through post-contract offboarding, and our NIST CSF 2.0 changes guide walks the full list. The C-SCRM program guide shows where the questionnaire sits inside the wider program.

The 40-Question NIST Vendor Risk Assessment Questionnaire

Forty questions is deliberate. Below 30, the questionnaire misses whole control families; past 60, vendors route it to a proposal team that answers from a library, and signal drops. The budget below spreads questions across five domains, weighted toward the controls that failed in the incidents above.

NIST Vendor Risk Assessment Questionnaire: 40 Mapped Questions

Figure 2. Security controls carry ten questions; governance, supply chain, and detection carry eight each; resilience carries six.

Governance Questions in the NIST Vendor Risk Assessment Questionnaire

Governance questions establish who owns security at the vendor and whether that ownership survives staff turnover. GV.SC-01 through GV.SC-04 anchor this set. Weak answers here predicted trouble at every vendor incident in this article, because programs without named owners drift until an attacker finds the gap.

# Question Evidence to request
1 Who owns cybersecurity at executive level, and how often does the board hear from them? Org chart, date of last board report
2 Do you run a documented supply chain risk program aligned to SP 800-161? Policy extract, last review date
3 When was your last enterprise security risk assessment, and who performed it? Assessment summary, assessor credentials
4 How are employees and contractors screened and security-trained? Training completion rates, screening policy
5 What data handling and retention rules apply to customer data? Data policy, retention schedule
6 Which regulations bind you for our data (HIPAA, GLBA, NYDFS, DORA)? Compliance attestations, audit letters
7 What cyber insurance do you carry, and what does it exclude? Certificate of insurance, exclusions page
8 How do security duties flow down to your subcontractors? Standard flow-down clause, sample contract

Supply Chain Questions in the NIST Vendor Risk Assessment Questionnaire

Fourth parties broke several recent incidents, including the Drift integration compromise FINRA flagged to member firms. This block makes the vendor name its own critical suppliers, prove flow-down clauses, and disclose concentration. Our fourth-party risk management guide and vendor concentration guide carry the follow-up playbooks.

# Question Evidence to request
9 Which fourth parties would touch our data or the service we buy? Named subprocessor list
10 How do you assess your own critical suppliers? Their questionnaire or assessment summary
11 Do you maintain a software bill of materials for products we use? Current SBOM sample
12 What concentration risks sit in your supply chain (region, single source)? Dependency map or narrative
13 How are open-source components inventoried and patched? Component policy, scan output
14 What happens to our data when one of your subcontractors exits? Offboarding procedure
15 Have any of your suppliers caused you an incident in 36 months? Incident summary, remediation taken
16 How would you notify us of a material subcontractor change? Contract clause, notice template

Security Control Questions in the NIST Vendor Risk Assessment Questionnaire

The security block does the heaviest lifting, and it is where yes/no formats fail loudest. Every question in this block demands the artifact, current within twelve months: the patch SLA report, the access recertification, the penetration test summary. Attestation without evidence is how missing MFA on one remote portal stays invisible until it is national news.

# Question Evidence to request
17 Is MFA enforced on all remote, administrative, and email access? Configuration evidence, coverage percentage
18 How is our data encrypted at rest and in transit? Encryption standards, key management note
19 What are your patch SLAs for critical vulnerabilities? Last quarter’s SLA performance report
20 How is privileged access requested, approved, and recertified? Last recertification date, PAM tooling
21 What security logs do you keep, and for how long? Log retention schedule
22 How does security enter your development lifecycle? SDLC gate description, last code audit
23 How is customer data segregated in multi-tenant systems? Architecture note
24 How are secrets, keys, and tokens stored and rotated? Secrets policy, rotation cadence
25 What endpoint detection coverage do you run? EDR coverage percentage, tooling
26 When was your last independent penetration test, and what was critical? Test summary, remediation status

Detection and Response Questions in the NIST Vendor Risk Assessment Questionnaire

Cencora’s notification history is the case for these eight questions. Initial disclosure came within days, but individual notices to affected patients rolled out over months as the scope grew. Ask for the contractual notification clock in hours, the last tested incident response plan date, and the escalation path with names.

# Question Evidence to request
27 Is security monitoring 24/7, and is it in-house or a provider? SOC description, provider contract
28 What were your mean detection and containment times last year? Metric report
29 When was the incident response plan last tested with an exercise? Exercise date, after-action extract
30 What notification clock will you sign for incidents touching our data? Contract clause stating hours
31 Do you keep a digital forensics retainer? Retainer confirmation
32 Who decides whether you pay a ransom, and under what governance? Playbook extract
33 How do you coordinate with law enforcement and regulators? Procedure reference
34 How will you communicate with us during a live incident? Cadence commitment, named contact

Resilience Questions in the NIST Vendor Risk Assessment Questionnaire

The last block prices the outage scenario. CDK Global’s June 2024 ransomware outage cost US auto dealers an estimated $1.02 billion in three weeks, per Anderson Economic Group, and none of the roughly 15,000 affected dealerships could influence the vendor’s recovery clock. Demand proof of tested recovery objectives and a written exit plan before signature.

# Question Evidence to request
35 What are your RTO and RPO for our service, and when were they last proven? Test report date, results
36 Are backups isolated or immutable, and how often are restores tested? Backup architecture, last restore test
37 What alternate processing exists if your primary site fails? Disaster recovery summary
38 Which single points of failure exist (region, data center, key person)? Dependency disclosure
39 What exit assistance and data return do you commit to contractually? Exit clause, destruction certificate
40 Can your balance sheet fund a long recovery? Financial statements or credit rating

Scoring the NIST Vendor Risk Assessment Questionnaire

Score every answer 0, 1, or 2. Zero means no control or no evidence, one means the control exists with gaps or stale evidence, two means current evidence supports the answer. Weight the security and detection blocks at 1.5 for vendors touching regulated data, then band the total.

Band Score Meaning Action
Approved 85% or more Controls evidenced and current Standard contract, annual reassessment
Conditional 65% to 84% Workable gaps, dated evidence Remediation milestones written into the contract
Remediation first 40% to 64% Material control gaps No onboarding until re-scored
Do not onboard Below 40% Absent program or refused evidence Decline or executive risk acceptance

Tie the bands to consequences the vendor sees in the contract. Conditional approval carries dated remediation milestones, and the supply chain KRI set turns the worst questionnaire findings into standing indicators the risk committee tracks between reassessments. The cyber KRI examples list covers the security block.

NIST Vendor Risk Assessment Questionnaire: 40 Mapped Questions

Figure 3. The 2025 Verizon DBIR found third-party involvement in breaches doubled to 30%, which is the base rate the scoring bands must price.

Running the NIST Vendor Risk Assessment Questionnaire Process

Reassessment cadence follows the tier you assigned at intake. Critical vendors answer the full 40 questions annually with an evidence refresh at six months, important vendors run the full set every two years with an annual short form, and low-tier vendors answer a 12-question core at onboarding only. The third-party risk management framework sets the tiers.

Vendor tier Full questionnaire Evidence refresh Off-cycle triggers
Critical Annually Every 6 months Breach, ownership change, new integration
Important Every 2 years Annually (short form) Breach or material subcontractor change
Standard At onboarding At renewal Incident affecting your data

Contract language makes the answers enforceable. Notification clocks, audit rights, flow-down duties, and exit assistance all move from questionnaire to schedule, the way the DORA third-party register template structures them for EU-regulated firms and the NYDFS Part 500 guide does for New York licensees. SaaS vendors get the cloud-specific set.

Send the questionnaire before the pilot, never after go-live; negotiating power disappears the day the integration ships. Pair questionnaire findings with ongoing performance data from the supplier performance guide, and align program vocabulary with ISO 28000 so procurement and security read the same terms.

Frequently Asked Questions About the NIST Vendor Risk Assessment Questionnaire

What is a NIST vendor risk assessment questionnaire?

A NIST vendor risk assessment questionnaire is a supplier due diligence instrument whose questions map to NIST SP 800-161, CSF 2.0, and the SP 800-53 SR control family. The mapping makes every answer traceable to a federal baseline, which turns vendor review from opinion into an auditable scoring exercise.

How many questions should a NIST vendor risk assessment questionnaire have?

Run 40 questions for critical and important vendors and a 12-question core set for the low tier. Sixty-question monsters buy nothing extra; vendors hand them to a proposal team and the answers converge on boilerplate. Keep 30 as the floor, below which whole control families escape examination.

Does a SOC 2 report replace the NIST vendor risk assessment questionnaire?

No. A SOC 2 Type II report is strong evidence for several security control questions, but its scope is set by the vendor and routinely excludes the subsidiaries, integrations, and data flows that break in real incidents. Use the report as evidence inside the questionnaire, and question everything outside its scope.

How often should the NIST vendor risk assessment questionnaire be reissued?

Reissue annually for critical vendors, every two years for important ones, and at onboarding for the rest. Reassess off-cycle on triggers: a vendor breach or near miss, a change of ownership, a new integration touching your data, or a material subcontractor change. Trigger-driven reassessment catches what calendars miss.

Which publications feed a NIST vendor risk assessment questionnaire?

Three publications carry the load: SP 800-161 Revision 1 for supply chain risk management controls, CSF 2.0 for the GV.SC governance subcategories added in February 2024, and SP 800-53 Revision 5 for the SR control family. Our NIST CSF risk assessment guide shows the same sources applied internally.

Can small vendors realistically complete a NIST vendor risk assessment questionnaire?

Yes, if the tiering is honest. A 20-person vendor with no access to regulated data answers the 12-question core, and reviewers accept compensating controls where formal programs are thin. The evidence bar stays fixed for one thing only: how the vendor stores, segregates, and returns your data.

NIST Vendor Risk Assessment Questionnaire Pitfalls and Remedies

Questionnaire programs fail in predictable ways, and the failures are almost always process failures, with the question wording rarely at fault. The table below pairs the seven most common with remedies drawn from the sections above, so each fix is one click back up the page.

Pitfall Root cause Remedy
Attestations accepted without evidence Reviewer volume pressure Evidence column enforced for the security block
SOC 2 treated as a full pass Scope misunderstanding Map the report to questions; probe outside its scope
Same depth for every vendor No tiering model 40 questions for critical, 12-question core below
No off-cycle reassessment Calendar-only reviews Breach, M&A, and integration triggers in the contract
Answers never reach the contract Procurement and security split Notification clocks and audit rights moved to schedules
Fourth parties never asked about Questionnaire stops at tier one Subprocessor list, flow-down proof, SBOM questions
Findings die in a spreadsheet No monitoring hand-off Worst findings become standing KRIs with owners

Looking Ahead: The NIST Vendor Risk Assessment Questionnaire Through 2027

Expect the 30% third-party breach share to keep climbing before it falls. The 2025 DBIR tied the doubling to SaaS concentration and integration sprawl, and nothing in the 2026 incident record suggests the curve has bent. Questionnaire depth is cheap insurance against a worsening base rate.

By 2027, questionnaire exchange will likely be machine-readable. OSCAL, NIST’s open security controls assessment language, already lets vendors publish control catalogs as structured data, and federal agencies are moving assessment artifacts onto it. The 40 questions stay the same while the transport changes.

Regulatory convergence is already visible. DORA’s register of information, NYDFS Part 500’s third-party rules, and the SEC’s cybersecurity disclosure regime all reward firms that can produce vendor assessments on demand, and our DORA versus NIS2 comparison maps the EU side. One questionnaire, mapped once, should feed every regime, with ISO 31000 supplying the risk vocabulary.

Start with the ten vendors that touch your most sensitive data, using the cyber risk management plan to frame the exercise. Issue the 40 questions, demand evidence for the security block, and score honestly; the first round always produces at least one conditional approval nobody expected. That finding, surfaced before renewal, is the questionnaire paying for itself.

Infographic: NIST Vendor Risk Assessment Questionnaire vs Generic

Comparison infographic contrasting a generic checklist with a NIST vendor risk assessment questionnaire across six dimensions from question source to outcome

Figure 4. Six dimensions separate a generic checklist from a NIST-mapped questionnaire, from question source through what happens to the findings.

 

Deploy Your NIST Vendor Risk Assessment Questionnaire With Risk Publishing

We help US compliance and procurement leads at regulated mid-market firms convert this NIST vendor risk assessment questionnaire into a scored, contract-ready program in three working sessions. See what our advisory services cover, then contact us with your vendor inventory; the first session tiers it and drafts the evidence request list.

Index