compliance governance

Managing Third-Party Vendor Risk

Build and run a third-party / vendor risk management (TPRM) program aligned to NIST SP 800-161 C-SCRM and NIST CSF 2.0 GV.SC: inventory and tier vendors by risk, send the right due-diligence questionnaire (SIG, CAIQ), review evidence (SOC 2, ISO 27001, pen-test reports), set contractual security and right-to-audit clauses, monitor vendors continuously, manage Nth-party / subcontractor risk, and offboard securely. Use when an organization needs to assess a new vendor before onboarding, when standing up or maturing a vendor-risk program, when tiering a vendor portfolio, when reviewing a SOC 2 or CAIQ, when writing security requirements into a contract or DPA, when a vendor suffers a breach, or when managing supply-chain / software supply-chain risk. Keywords: third-party risk, vendor risk management, TPRM, supply chain risk, C-SCRM, NIST 800-161, vendor tiering, SIG questionnaire, CAIQ, SOC 2, ISO 27001, right to audit, continuous monitoring, security ratings, fourth-party risk, Nth-party, vendor offboarding, due diligence.

c-scrmcaiqcontinuous-monitoringgovernancenist-800-161soc2supply-chain-riskthird-party-risk
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When assessing a new vendor before onboarding, especially one that will handle sensitive data, connect to your network, or be embedded in a critical process.
  • When standing up or maturing a third-party risk management (TPRM) program and you need a repeatable tiering + assessment workflow.
  • When tiering an existing vendor portfolio so effort matches risk.
  • When reviewing vendor evidence — a SOC 2 Type II report, ISO 27001 certificate, CAIQ, or pen-test summary — and you need to know what to look for.
  • When writing security and privacy requirements into a contract / DPA, including breach-notification SLAs and right-to-audit.
  • When a vendor (or their subcontractor) suffers a breach and you must assess exposure.
  • When managing software supply-chain and Nth-party (fourth-party and beyond) risk.

Prerequisites

  • A vendor inventory (who you use, for what, and what data/access each has).
  • A defined risk-tiering model (criteria and thresholds) agreed with the business.
  • Access to standardized questionnaires (Shared Assessments SIG, CSA CAIQ) and a way to collect evidence.
  • Clarity on your own regulatory obligations that flow down to vendors (e.g., HIPAA BAAs, CMMC flowdown, GDPR processor terms, PCI).
  • Stakeholders identified: procurement, legal, security, data owner, and the business sponsor.

Workflow

1. Inventory and classify vendors

Catalog every third party and capture: data sensitivity handled, type of access (network, physical, none), business criticality, and regulatory scope. You cannot manage what you have not inventoried — shadow vendors are a common blind spot.

2. Tier by inherent risk

Score each vendor on inherent-risk factors (data sensitivity, access, criticality, regulatory scope, spend/concentration) and assign a tier (e.g., Critical / High / Moderate / Low). The tier drives how deep the assessment goes and how often you reassess. A payroll processor with PII and system access is not the same risk as a stock-photo subscription.

3. Run tier-appropriate due diligence

  • Critical/High: full SIG (or SIG Core), request SOC 2 Type II and/or ISO 27001, recent pen-test summary, and evidence of an incident-response capability. Consider an assessor call.
  • Moderate: SIG Lite or CAIQ, plus key attestations.
  • Low: lightweight questionnaire / self-attestation.

4. Review evidence critically

Don't just collect — read:

  • SOC 2 Type II: check scope, the Trust Services Criteria covered, the audit period (not just the date), and especially the exceptions/deviations and any qualified opinion. A clean cover page can hide noted exceptions.
  • ISO 27001: confirm the scope statement and the Statement of Applicability actually cover the service you're buying.
  • CAIQ: look for "no" answers and CCM domains left blank.
  • Pen-test: age, scope, and whether highs/criticals were remediated.

5. Identify gaps and decide

Compare findings against your control requirements. For each gap: accept, require remediation (with a date), add a compensating control on your side, or walk away. Record the residual risk and a risk-owner decision.

6. Codify in the contract / DPA

Bake requirements into the agreement: security control obligations, breach-notification timeline, data-handling and return/destruction terms, right-to-audit / right to assessment evidence, subcontractor (Nth-party) flowdown, and liability/insurance. Contracts are where TPRM gets teeth.

7. Monitor continuously

Tiering is not a one-time gate. For higher tiers: periodic reassessment, security-ratings feeds, breach/news monitoring, certificate-expiry tracking, and watching for material changes (acquisition, region change, new subprocessors). Re-tier on change.

8. Manage Nth-party and concentration risk

Map critical fourth parties (your vendor's key subprocessors) and watch for concentration (many vendors riding on the same upstream provider) — a single upstream outage or breach can hit your whole portfolio at once.

9. Offboard securely

On termination: revoke access and credentials, confirm data return or certified destruction, remove integrations/API keys, and update the inventory. Un-offboarded vendors are standing risk.

Key Concepts

Concept Definition
Inherent risk Risk a vendor poses before controls — drives tiering.
Residual risk Risk remaining after the vendor's (and your) controls.
Vendor tier Risk band (Critical/High/Moderate/Low) setting assessment depth and cadence.
SIG Shared Assessments Standardized Information Gathering questionnaire (full / Lite / Core).
CAIQ CSA Consensus Assessments Initiative Questionnaire (maps to the Cloud Controls Matrix).
SOC 2 Type II Attestation on control design and operating effectiveness over a period.
Right to audit Contractual right to assess the vendor or obtain assessment evidence.
Nth-party / fourth-party Your vendor's vendors (and beyond) — indirect supply-chain risk.
Concentration risk Many vendors depending on the same upstream provider.
C-SCRM Cybersecurity Supply Chain Risk Management (NIST SP 800-161).

Tools & Systems

  • NIST SP 800-161 Rev 1 — Cybersecurity Supply Chain Risk Management practices.
  • NIST CSF 2.0 — GV.SC — the supply-chain risk-management category (program backbone).
  • Shared Assessments SIG and CSA CAIQ / STAR registry — standardized questionnaires.
  • SOC 2 / ISO 27001 / PCI AOC / pen-test reports — vendor evidence.
  • Security-ratings services (e.g., BitSight/SecurityScorecard-style) — continuous external signal.
  • TPRM platforms — OneTrust, ProcessUnity, Prevalent, ServiceNow VRM, etc., to manage the workflow and inventory.
  • GDPR DPA / HIPAA BAA / CMMC flowdown — regulatory contract instruments.

Common Scenarios

  • New SaaS onboarding. Tier it, send the right questionnaire, read the SOC 2 exceptions, set contract terms, then approve with documented residual risk.
  • Portfolio has 400 vendors, no tiers. Tier first; concentrate assessment effort on the Critical/High tail rather than spreading thin.
  • Vendor breach in the news. Pull the vendor record, assess data/access exposure, invoke the breach-notification clause, and require a post-incident report.
  • Auditor asks for your TPRM program. Show the tiering model, the assessment cadence, and evidence of continuous monitoring mapped to GV.SC.
  • Critical fourth party identified. Document the dependency and the concentration risk; build a contingency for that upstream provider.

Output Format

Produce a Vendor Risk Assessment using assets/template.md, containing:

  1. Vendor profile — service, data handled, access type, business criticality, regulatory scope.
  2. Inherent-risk tier — score and resulting tier, with rationale.
  3. Due-diligence performed — questionnaire used and evidence collected (SOC 2 period, ISO scope, pen-test age).
  4. Findings — gaps with severity, including notable SOC 2 exceptions.
  5. Decision & residual risk — approve/conditional/reject, with risk-owner sign-off.
  6. Contractual requirements — security terms, breach SLA, right-to-audit, subprocessor flowdown.
  7. Monitoring & reassessment plan — cadence, signals watched, re-tier triggers.
  8. Nth-party notes — critical subprocessors and concentration risk.

Use scripts/process.py to compute a vendor's inherent-risk tier from a profile JSON, set the assessment depth and reassessment cadence, and flag missing evidence for the assigned tier.

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

standards.md4.3 KB

Third-Party / Vendor Risk Management — Standards & Reference

Primary standards & frameworks

Source Role
NIST SP 800-161 Rev 1 (May 2022) Cybersecurity Supply Chain Risk Management (C-SCRM) practices for systems and organizations. URL: https://csrc.nist.gov/pubs/sp/800/161/r1/final
NIST CSF 2.0 — GV.SC The Cybersecurity Supply Chain Risk Management category; the governance backbone for a TPRM program.
NIST SP 800-37 / 800-53 (SR family) Supply Chain Risk Management controls (SR-x) within the broader control catalog.
ISO/IEC 27036 Information security for supplier relationships.
Shared Assessments SIG questionnaire + Third Party Risk Management framework.
CSA CAIQ / Cloud Controls Matrix (CCM) / STAR Cloud-vendor self-assessment and registry.

NIST CSF 2.0 — GV.SC subcategories (selected)

ID Outcome
GV.SC-01 A cyber supply-chain risk-management program/strategy is established and agreed.
GV.SC-03 Supply-chain risk management is integrated into cybersecurity and ERM.
GV.SC-04 Suppliers are known and prioritized by criticality.
GV.SC-05 Requirements to address supply-chain risk are established in contracts.
GV.SC-06 Due diligence is performed to reduce risk before entering relationships.
GV.SC-07 Supplier risks are understood, monitored, and managed over the relationship.
GV.SC-08 Suppliers are included in incident planning, response, and recovery.
GV.SC-10 Supply-chain risk is managed through to relationship termination.

Vendor tiering — typical inherent-risk factors

  • Data sensitivity handled (regulated PII/PHI/CHD, IP, none).
  • Access type (network/system access, physical access, none).
  • Business criticality (would an outage stop operations?).
  • Regulatory scope (HIPAA, PCI, GDPR, CMMC flowdown).
  • Integration depth (API/identity federation vs standalone).
  • Concentration / spend (single-source, large dependency).

Tiers commonly: Critical / High / Moderate / Low — each mapped to an assessment depth and a reassessment cadence.

Due-diligence instruments

Instrument What it is
SIG (Full / Core / Lite) Shared Assessments standardized questionnaire; depth scales with tier.
CAIQ CSA questionnaire mapped to the Cloud Controls Matrix.
SOC 2 Type II AICPA attestation on control design and operating effectiveness over a period (Trust Services Criteria: Security required; Availability, Confidentiality, Processing Integrity, Privacy optional).
SOC 2 Type I Design only, at a point in time (weaker assurance than Type II).
ISO/IEC 27001 certificate + SoA Certified ISMS; check the scope statement covers the purchased service.
Penetration-test summary Independent testing; check age, scope, and remediation of highs/criticals.
PCI AOC Attestation of Compliance for card-data handlers.

Reading a SOC 2 critically

  • Confirm the report type (II > I) and the audit period length.
  • Check the scope / system description matches the service you buy.
  • Read the exceptions / deviations and the auditor's opinion (unqualified vs qualified).
  • Review complementary user-entity controls (CUECs) — what the vendor expects you to do.
  • Note the subservice organizations (their critical fourth parties).

Contractual security terms to require

  • Security control obligations (map to your baseline).
  • Breach-notification timeline (e.g., notify within X hours of discovery).
  • Data handling, location, and return/certified destruction on exit.
  • Right to audit or to receive current assessment evidence.
  • Subcontractor (Nth-party) flowdown and prior-approval of new subprocessors.
  • Liability, indemnity, and cyber-insurance requirements.
  • Regulatory instruments: DPA (GDPR), BAA (HIPAA), CMMC flowdown.

Continuous monitoring signals

Security-ratings feeds, breach/news monitoring, certificate/attestation expiry, new subprocessor notices, ownership/region changes, and periodic re-questionnaire on cadence by tier.

Nth-party & concentration risk

  • Fourth-party = your vendor's vendors; map the critical ones.
  • Concentration risk = many vendors depending on the same upstream (e.g., one cloud region or one auth provider) — a single upstream failure can be systemic.

Scripts 1

process.py8.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Third-party vendor inherent-risk tiering and evidence-gap checker.

Scores a vendor's inherent risk from a profile, assigns a tier
(Critical/High/Moderate/Low), sets the assessment depth and reassessment
cadence for that tier, and flags evidence that is missing or stale for the
assigned tier.

Input JSON shape:
{
  "vendor": {"name": "PayWorks", "service": "Payroll processing"},
  "profile": {
    "data_sensitivity": "regulated",   # regulated | confidential | internal | public
    "access": "system",                # system | network | physical | none
    "criticality": "high",             # high | medium | low
    "regulated_scope": ["PII"],        # list; non-empty raises risk
    "integration": "deep",             # deep | moderate | none
    "concentration": true              # single-source / large dependency
  },
  "evidence": {                        # OPTIONAL; what you have on file
    "sig": "core",                     # full | core | lite | caiq | none
    "soc2_type": "II",                 # II | I | none
    "soc2_period_months": 12,
    "iso27001": true,
    "pentest_age_months": 8
  }
}

Usage:
  python process.py --input vendor.json [--output assessment.md]
  python process.py --input vendor.json --fail-on-evidence-gap
"""

import argparse
import json
import sys

# inherent-risk points per factor
DATA_POINTS = {"regulated": 4, "confidential": 3, "internal": 1, "public": 0}
ACCESS_POINTS = {"system": 4, "network": 3, "physical": 2, "none": 0}
CRIT_POINTS = {"high": 4, "medium": 2, "low": 1}
INTEG_POINTS = {"deep": 2, "moderate": 1, "none": 0}

# tier thresholds on total inherent score (max ~17)
def tier_for(score):
    if score >= 13:
        return "Critical"
    if score >= 9:
        return "High"
    if score >= 5:
        return "Moderate"
    return "Low"

# per-tier expectations
TIER_PLAYBOOK = {
    "Critical": {
        "depth": "Full SIG + SOC 2 Type II (12-month period) + ISO 27001 + recent pen-test + assessor call",
        "cadence": "Reassess annually; continuous security-ratings monitoring",
        "require": {"sig": ("full", "core"), "soc2_type": ("II",), "iso27001": True, "pentest_max_months": 12},
    },
    "High": {
        "depth": "SIG Core + SOC 2 Type II + pen-test summary",
        "cadence": "Reassess annually",
        "require": {"sig": ("full", "core"), "soc2_type": ("II",), "iso27001": False, "pentest_max_months": 18},
    },
    "Moderate": {
        "depth": "SIG Lite or CAIQ + key attestations",
        "cadence": "Reassess every 2 years",
        "require": {"sig": ("full", "core", "lite", "caiq"), "soc2_type": ("II", "I"), "iso27001": False, "pentest_max_months": None},
    },
    "Low": {
        "depth": "Lightweight questionnaire / self-attestation",
        "cadence": "Reassess every 3 years or on change",
        "require": {"sig": ("full", "core", "lite", "caiq", "none"), "soc2_type": ("II", "I", "none"), "iso27001": False, "pentest_max_months": None},
    },
}


def score_inherent(p):
    breakdown = {}
    breakdown["data_sensitivity"] = DATA_POINTS.get(p.get("data_sensitivity", "internal"), 1)
    breakdown["access"] = ACCESS_POINTS.get(p.get("access", "none"), 0)
    breakdown["criticality"] = CRIT_POINTS.get(p.get("criticality", "low"), 1)
    breakdown["integration"] = INTEG_POINTS.get(p.get("integration", "none"), 0)
    breakdown["regulated_scope"] = 2 if p.get("regulated_scope") else 0
    breakdown["concentration"] = 1 if p.get("concentration") else 0
    total = sum(breakdown.values())
    return total, breakdown


def check_evidence(tier, ev):
    req = TIER_PLAYBOOK[tier]["require"]
    gaps = []
    sig = (ev.get("sig") or "none").lower()
    if sig not in req["sig"]:
        gaps.append(f"Questionnaire '{sig}' insufficient for {tier} (need one of {', '.join(req['sig'])})")
    soc = (ev.get("soc2_type") or "none")
    if soc not in req["soc2_type"]:
        gaps.append(f"SOC 2 type '{soc}' insufficient for {tier} (need {', '.join(req['soc2_type'])})")
    if soc == "II" and ev.get("soc2_period_months", 0) < 6:
        gaps.append("SOC 2 Type II period under 6 months - limited operating-effectiveness assurance")
    if req["iso27001"] and not ev.get("iso27001"):
        gaps.append(f"ISO 27001 certificate expected for {tier}")
    pmax = req["pentest_max_months"]
    if pmax is not None:
        age = ev.get("pentest_age_months")
        if age is None:
            gaps.append(f"No pen-test on file (expected within {pmax} months for {tier})")
        elif age > pmax:
            gaps.append(f"Pen-test is {age} months old (>{pmax} for {tier}) - request a current test")
    return gaps


def render(data):
    vendor = data.get("vendor", {})
    profile = data.get("profile", {})
    evidence = data.get("evidence", {})
    if not profile:
        raise ValueError("profile is required to tier the vendor")

    total, breakdown = score_inherent(profile)
    tier = tier_for(total)
    play = TIER_PLAYBOOK[tier]
    gaps = check_evidence(tier, evidence) if evidence else ["No evidence provided - collect tier-appropriate evidence"]

    lines = []
    lines.append(f"# Vendor Risk Assessment - {vendor.get('name','Vendor')}")
    lines.append("")
    if vendor.get("service"):
        lines.append(f"- **Service:** {vendor['service']}")
    lines.append(f"- **Inherent-risk score:** {total} -> **Tier: {tier}**")
    lines.append("")

    lines.append("## Inherent-risk breakdown")
    lines.append("")
    lines.append("| Factor | Value | Points |")
    lines.append("|---|---|---|")
    lines.append(f"| Data sensitivity | {profile.get('data_sensitivity','-')} | {breakdown['data_sensitivity']} |")
    lines.append(f"| Access | {profile.get('access','-')} | {breakdown['access']} |")
    lines.append(f"| Criticality | {profile.get('criticality','-')} | {breakdown['criticality']} |")
    lines.append(f"| Integration | {profile.get('integration','-')} | {breakdown['integration']} |")
    lines.append(f"| Regulated scope | {', '.join(profile.get('regulated_scope', [])) or 'none'} | {breakdown['regulated_scope']} |")
    lines.append(f"| Concentration | {profile.get('concentration', False)} | {breakdown['concentration']} |")
    lines.append(f"| **Total** | | **{total}** |")
    lines.append("")

    lines.append(f"## {tier}-tier playbook")
    lines.append("")
    lines.append(f"- **Assessment depth:** {play['depth']}")
    lines.append(f"- **Reassessment cadence:** {play['cadence']}")
    lines.append("")

    lines.append("## Evidence gaps")
    lines.append("")
    if not gaps:
        lines.append(f"Evidence on file meets the {tier}-tier bar. Proceed to findings review and contracting.")
    else:
        for g in gaps:
            lines.append(f"- {g}")
    lines.append("")

    lines.append("## Next steps")
    lines.append("")
    lines.append("1. Close the evidence gaps above (or document risk-accepted exceptions).")
    lines.append("2. Review collected evidence critically (SOC 2 exceptions, ISO scope, CAIQ 'no' answers).")
    lines.append("3. Record findings, residual risk, and a risk-owner decision.")
    lines.append("4. Codify security terms, breach SLA, right-to-audit, and subprocessor flowdown in the contract.")
    lines.append("5. Enroll in continuous monitoring per the cadence above.")

    return "\n".join(lines), tier, gaps


def main():
    ap = argparse.ArgumentParser(description="Vendor inherent-risk tiering + evidence-gap checker")
    ap.add_argument("--input", "-i", required=True, help="Path to vendor profile JSON")
    ap.add_argument("--output", "-o", help="Write Markdown assessment to this path")
    ap.add_argument("--fail-on-evidence-gap", action="store_true",
                    help="Exit non-zero if any evidence gap remains for the tier")
    args = ap.parse_args()

    try:
        with open(args.input) as f:
            data = json.load(f)
    except (OSError, json.JSONDecodeError) as e:
        print(f"ERROR: could not read input JSON: {e}", file=sys.stderr)
        return 2

    try:
        md, tier, gaps = render(data)
    except ValueError as e:
        print(f"ERROR: {e}", file=sys.stderr)
        return 2

    if args.output:
        with open(args.output, "w") as f:
            f.write(md + "\n")
        print(f"Assessment written to {args.output}", file=sys.stderr)
    else:
        print(md)

    print(f"Tier: {tier}; evidence gaps: {len(gaps)}.", file=sys.stderr)

    if args.fail_on_evidence_gap and gaps:
        print(f"FAIL: {len(gaps)} evidence gap(s) for {tier} tier.", file=sys.stderr)
        return 1
    return 0


if __name__ == "__main__":
    sys.exit(main())

Assets 1

template.mdtext/markdown · 3.1 KB
Keep exploring