The National Institute of Standards and Technology (NIST), the federal agency that develops and issues standards, guidelines and publications for federal agencies, is urging agencies to be aware of the security risks associated with using third-party data recovery vendors.
NIST has added text to its “Contingency Planning Guide for Federal Information Systems” that urges federal agencies to increase awareness of the security risks when using third-party data recovery vendors. The added text also urges agencies to increase scrutiny and vetting of third-party data recovery vendors—within an agency’s Vendor Risk Management Programs—and require non-disclosure agreements from those vendors.
The new section to the Contingency Planning Guide says, "Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The service provider and employees should sign non discloser agreements, be properly bonded, and adhere to organization-specific security policies."