Skip to main content
TPM

Third-Party Management

28 controls

Execute Supply Chain Risk Management (SCRM) practices so that only trustworthy third-parties are used for products and/or service delivery.

SCF # Control Name Weight NIST CSF Frameworks
TPM-01 Third-Party Management 10 — Critical Govern 133
TPM-01.1 Third-Party Inventories 8 — High Identify 45
TPM-02 Third-Party Criticality Assessments 9 — Critical Identify 64
TPM-03 Supply Chain Risk Management (SCRM) 9 — Critical Identify 82
TPM-03.1 Acquisition Strategies, Tools & Methods 9 — Critical Identify 45
TPM-03.2 Limit Potential Harm 9 — Critical Identify 37
TPM-03.3 Processes To Address Weaknesses or Deficiencies 9 — Critical Identify 38
TPM-03.4 Adequate Supply 9 — Critical Protect 5
TPM-04 Third-Party Services 10 — Critical Identify 99
TPM-04.1 Third-Party Risk Assessments & Approvals 9 — Critical Identify 82
TPM-04.2 External Connectivity Requirements - Identification of Ports, Protocols & Services 7 — High Identify 35
TPM-04.3 Conflict of Interests 8 — High Identify 24
TPM-04.4 Third-Party Processing, Storage and Service Locations 10 — Critical Identify 68
TPM-05 Third-Party Contract Requirements 10 — Critical Identify 112
TPM-05.1 Security Compromise Notification Agreements 9 — Critical Detect 37
TPM-05.2 Contract Flow-Down Requirements 9 — Critical Protect 45
TPM-05.3 Third-Party Authentication Practices 8 — High Protect 7
TPM-05.4 Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix 8 — High Identify 48
TPM-05.5 Third-Party Scope Review 10 — Critical Identify 27
TPM-05.6 First-Party Declaration (1PD) 7 — High Identify 23
TPM-05.7 Break Clauses 9 — Critical Protect 22
TPM-05.8 Third-Party Attestation (3PA) 5 — Medium Govern 9
TPM-06 Third-Party Personnel Security 9 — Critical Identify 32
TPM-07 Monitoring for Third-Party Information Disclosure 8 — High Identify 15
TPM-08 Review of Third-Party Services 9 — Critical Identify 79
TPM-09 Third-Party Deficiency Remediation 9 — Critical Identify 33
TPM-10 Managing Changes To Third-Party Services 8 — High Identify 68
TPM-11 Third-Party Incident Response & Recovery Capabilities 8 — High Identify 23

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free