PRI-07.1: Data Privacy Requirements for Contractors & Service Providers

PRI 10 — Critical Identify

Mechanisms exist to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.

Control Question: Does the organization include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers?

General (22)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	P6.1-POF1 P6.4 P6.4-POF3
CIS CSC 8.1	15.4
CIS CSC 8.1 IG2	15.4
CIS CSC 8.1 IG3	15.4
CSA CCM 4	DSP-13 IPY-04 STA-04 STA-09
CSA IoT SCF 2	CLS-04
Generally Accepted Privacy Principles (GAPP)	4.2.3 7.2.4
ISO 27002 2022	5.31 5.33
ISO 27017 2015	18.1.4
ISO 27018 2014	A.7.1
ISO 29100 2024	6.10
NIST Privacy Framework 1.0	ID.DE-P3
NIST 800-53 R4	AR-3
NIST 800-218	PO.1
NIST CSF 2.0 (source)	GV.SC-05
OWASP Top 10 2021	A01:2021 A02:2021 A03:2021 A04:2021 A05:2021 A06:2021 A07:2021 A08:2021 A09:2021 A10:2021
SWIFT CSF 2023	2.8A
TISAX ISA 6	9.5.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	PRI-07.1
SCF CORE ESP Level 1 Foundational	PRI-07.1
SCF CORE ESP Level 2 Critical Infrastructure	PRI-07.1
SCF CORE ESP Level 3 Advanced Threats	PRI-07.1

US (13)

Framework	Mapping Values
US CERT RMM 1.2	AM:SG1.SP1 EXD:SG3.SP1 SC:SG1.SP2
US CJIS Security Policy 5.9.3 (source)	5.1.1.2 5.1.1.3 5.1.1.4 5.1.1.5 5.1.1.6 5.1.1.7 5.1.1.8 5.1.4
US CMS MARS-E 2.0	AR-3
US FERPA (source)	1232g
US HIPAA Administrative Simplification 2013 (source)	164.504(e)(2)(i) 164.504(e)(2)(ii)(A) 164.504(e)(2)(ii)(B) 164.504(e)(2)(ii)(C) 164.504(e)(4)(i) 164.504(e)(4)(i)(A) 164.504(e)(4)(i)(B) 164.504(e)(4)(i)(B)(ii) 164.504(e)(4)(i)(B)(ii)(A)
US IRS 1075	1.9.3 1.9.5
US - CA CCPA 2025	7012(g)(2) 7012(g)(2) 7022(c) 7022(c)(1) 7022(c)(2) 7022(c)(3) 7022(c)(4) 7022(d) 7023(c) 7024(i) 7050(a) 7050(a)(1) 7050(a)(2) 7050(a)(3) 7050(a)(4) 7050(b) 7050(c) 7050(d) 7050(e) 7050(f) 7050(g) 7050(h) 7050(h)(1) 7050(h)(2) 7051(a) 7051(a)(1) 7051(a)(2) 7051(a)(3) 7051(a)(4) 7051(a)(5) 7051(a)(6) 7051(a)(7) 7051(a)(8) 7051(a)(9) 7053(a)(1) 7053(a)(2) 7053(a)(3) 7053(a)(4)
US - CO Colorado Privacy Act	6-1-1305(3)(b) 6-1-1305(5) 6-1-1305(5)(a) 6-1-1305(5)(b) 6-1-1305(5)(c) 6-1-1305(5)(d) 6-1-1305(5)(d)(I) 6-1-1305(5)(d)(I)(A) 6-1-1305(5)(d)(I)(B) 6-1-1305(6) 6-1-1305(7) 6-1-1307(2) 6-1-1307(3)
US - IL PIPA	45(a) 45(b) 45(c) 45(d) 50
US - OR CPA	6(1) 6(1)(a) 6(2) 7(1)(a)(C)
US - TN TIPA	47-18-3205(a) 47-18-3205(a)(1) 47-18-3205(a)(2) 47-18-3205(b) 47-18-3205(b)(1) 47-18-3205(b)(2) 47-18-3205(b)(3) 47-18-3205(b)(4) 47-18-3205(b)(5) 47-18-3205(c) 47-18-3205(d)
US - TX CDPA	541.104(a)(1) 541.104(a)(2) 541.104(a)(3) 541.104(b)(1) 541.104(b)(2) 541.104(b)(3) 541.104(b)(4) 541.104(b)(5) 541.104(b)(6)(A) 541.104(b)(6)(B) 541.104(b)(6)(C) 541.104(b)(6)(D) 541.104(b)(6)(E) 541.104(c) 541.106(a)(3) 541.106(d)
US - VA CDPA 2025	59.1-578.B 59.1-579.A 59.1-579.A.1 59.1-579.A.2 59.1-579.A.3 59.1-579.B 59.1-579.B.3 59.1-579.B.4 59.1-579.B.5 59.1-581.A.3 59.1-581.E

EMEA (10)

Framework	Mapping Values
EMEA EU GDPR (source)	28.1 28.10 28.2 28.3 28.3(a) 28.3(b) 28.3(c) 28.3(d) 28.3(e) 28.3(f) 28.3(g) 28.3(h) 28.4 28.5 28.6 28.7 28.8 28.9 29 46.3(a)
EMEA Austria	Sec 10
EMEA Germany C5 2020	HR-06 PI-02
EMEA Israel CDMO 1.0	11.1
EMEA Kenya DPA 2019	25(h) 40(2) 40(2)(a) 40(2)(b) 40(3) 42(2)(a) 42(2)(b) 42(3)
EMEA Nigeria DPR 2019	2.4(b) 2.7
EMEA Qatar PDPPL	12
EMEA Saudi Arabia SACS-002	TPC-25
EMEA Serbia 87/2018	5 11 30 30.x 32 32.1 32.2 33 45 45.x 46
EMEA South Africa	11 20 21

APAC (7)

Framework	Mapping Values
APAC Australian Privacy Principles	APP 7
APAC China Privacy Law	20 21 27 38(3) 42
APAC India DPDPA 2023	8(2) 8(7)(b)
APAC Japan APPI	22 23(1)(i) 23(1)(ii) 23(1)(iii) 23(1)(iv) 23(2) 23(2)(i) 23(2)(ii) 23(2)(iii) 23(2)(iv) 23(2)(v) 23(2)(vi) 23(2)(vii) 23(2)(viii) 23(3) 23(4) 23(5)(i) 23(5)(ii) 23(5)(iii) 23(6) 23(1) 26(1) 26(1)(i) 26(1)(ii) 26(2) 26(3) 26(4) 26-2(1) 26-2(1)(i) 26-2(1)(ii) 26-2(2) 26-2(3)
APAC Japan ISMAP	18.1.4
APAC New Zealand Privacy Act of 2020	Principle 5 P5-(a) P5-(a)(i) P5-(a)(ii) P5-(a)(iii) P5-(b)
APAC South Korea	26 27

Americas (4)

Framework	Mapping Values
Americas Argentina Reg 132-2018	11.4
Americas Brazil LGPD	35 39
Americas Canada PIPEDA	Sec 20 Sec 23
Americas Uruguay	17 23

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.

Level 3 — Well Defined

Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
Data/process owners operationalize data privacy controls into the processes they control.
Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.

Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.

Assessment Objectives

PRI-07.1_A01 includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers.

Evidence Requirements

E-PRI-05 Data Sharing Agreement: Documented evidence of formal data sharing practices that address, at a minimum: • The business justification for the data sharing; • The type / category of data being shared; • The third-parties the data is being shared with; • Lawful bases for data sharing; and • Data subject rights.
Privacy
E-TPM-01 Third-Party Contracts: Documented evidence of third-party contractual obligations for cybersecurity & data privacy protections.
Third-Party Management

Technology Recommendations

Micro/Small

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management

Small

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management

Medium

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management

Large

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management

Enterprise

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management