NIST 800-53 REV 5 • PLANNING
PL-8(2) — Supplier Diversity
Require that {{ insert: param, pl-08.02_odp.01 }} allocated to {{ insert: param, pl-08.02_odp.02 }} are obtained from different suppliers.
Supplemental Guidance
Information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings. For example, vendors offering malicious code protection typically update their products at different times, often developing solutions for known viruses, Trojans, or worms based on their priorities and development schedules. By deploying different products at different locations, there is an increased likelihood that at least one of the products will detect the malicious code. With respect to privacy, vendors may offer products that track personally identifiable information in systems. Products may use different tracking methods. Using multiple products may result in more assurance that personally identifiable information is inventoried.
Practitioner Notes
This enhancement requires that security controls are obtained from different suppliers (vendor diversity) so that a vulnerability in one vendor's product does not compromise all your defenses simultaneously.
Example 1: Use different vendors for different security layers: one vendor for your perimeter firewall (e.g., Palo Alto), a different vendor for endpoint protection (e.g., CrowdStrike), and another for your SIEM (e.g., Splunk). This way, a zero-day in one vendor's product does not leave all layers exposed.
Example 2: Document your vendor diversity strategy in your security architecture. Include a matrix that maps each security function to its vendor and product. Review this matrix when renewing contracts or evaluating new products to ensure you are not consolidating too many critical functions with a single vendor.