TPM-02: Third-Party Criticality Assessments
Mechanisms exist to identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.
Control Question: Does the organization identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services?
General (33)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC3.2-POF8 CC3.2-POF9 CC9.1 |
| CIS CSC 8.1 | 15.3 |
| CIS CSC 8.1 IG2 | 15.3 |
| CIS CSC 8.1 IG3 | 15.3 |
| COBIT 2019 | APO10.04 |
| CSA CCM 4 | STA-07 |
| IMO Maritime Cyber Risk Management | 3.5.3.8 |
| ISO 27002 2022 | 5.19 |
| MITRE ATT&CK 10 | T1195.003, T1495, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1553, T1553.006, T1601, T1601.001, T1601.002 |
| NIST Privacy Framework 1.0 | ID.BE-P3 |
| NIST 800-53 R4 | SA-14 |
| NIST 800-53 R5 (source) | PM-30(1) RA-9 SA-9(3) |
| NIST 800-53B R5 (moderate) (source) | RA-9 |
| NIST 800-53B R5 (high) (source) | RA-9 |
| NIST 800-53 R5 (NOC) (source) | PM-30(1) SA-9(3) |
| NIST 800-82 R3 MODERATE OT Overlay | RA-9 |
| NIST 800-82 R3 HIGH OT Overlay | RA-9 |
| NIST 800-161 R1 | RA-9 |
| NIST 800-161 R1 Flow Down | RA-9 |
| NIST 800-161 R1 Level 1 | RA-9 |
| NIST 800-161 R1 Level 2 | RA-9 |
| NIST 800-161 R1 Level 3 | RA-9 |
| NIST 800-171 R3 (source) | 03.11.01.a 03.17.03.a |
| NIST CSF 2.0 (source) | GV.OC-04 GV.OC-05 GV.SC-04 GV.SC-06 GV.SC-07 GV.SC-08 ID.AM-05 ID.RA-10 |
| SPARTA | CM0022 |
| SWIFT CSF 2023 | 2.8A |
| UL 2900-1 2017 | 12.1 |
| UN R155 | 7.2.2.5 7.3.2 7.3.3 |
| UN ECE WP.29 | 7.2.2.5 7.3.2 7.3.3 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | TPM-02 |
| SCF CORE ESP Level 1 Foundational | TPM-02 |
| SCF CORE ESP Level 2 Critical Infrastructure | TPM-02 |
| SCF CORE ESP Level 3 Advanced Threats | TPM-02 |
US (16)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | THIRD-PARTIES-1.C.MIL2 THIRD-PARTIES-1.D.MIL2 THIRD-PARTIES-1.E.MIL2 THIRD-PARTIES-1.F.MIL3 THIRD-PARTIES-2.A.MIL1 THIRD-PARTIES-2.B.MIL1 THIRD-PARTIES-2.C.MIL2 THIRD-PARTIES-2.D.MIL2 THIRD-PARTIES-2.E.MIL2 THIRD-PARTIES-2.F.MIL2 THIRD-PARTIES-2.G.MIL2 THIRD-PARTIES-2.H.MIL3 THIRD-PARTIES-2.I.MIL3 THIRD-PARTIES-2.J.MIL3 THIRD-PARTIES-2.K.MIL3 THIRD-PARTIES-2.L.MIL3 THIRD-PARTIES-2.M.MIL3 |
| US CERT RMM 1.2 | EXD:SG1.SP2 RTSE:SG2.SP1 RTSE:SG2.SP2 RTSE:SG3.SP1 RTSE:SG3.SP2 TM:SG1.SP1 |
| US CISA CPG 2022 | 1.G |
| US FCA CRM | 609.930(c)(5)(i) |
| US FedRAMP R5 (source) | RA-9 |
| US FedRAMP R5 (moderate) (source) | RA-9 |
| US FedRAMP R5 (high) (source) | RA-9 |
| US FFIEC | D1.G.SP.A.3 |
| US GLBA CFR 314 2023 (source) | 314.4(f)(1) |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(a)(7)(ii)(E) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(a)(7)(ii)(E) |
| US HIPAA HICP Large Practice | 9.L.C |
| US NISPOM 2020 | 8-302 8-311 |
| US SEC Cybersecurity Rule | 17 CFR 229.106(b)(1)(iii) |
| US - CA CCPA 2025 | 7123(c)(15) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.11(a)(1) 500.11(a)(4) |
EMEA (7)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 8.4 |
| EMEA EU NIS2 | 21.3 |
| EMEA Germany C5 2020 | SSO-02 SSO-03 |
| EMEA Israel CDMO 1.0 | 16.1 16.6 |
| EMEA Saudi Arabia CSCC-1 2019 | 4-1-1-1 |
| EMEA Saudi Arabia OTCC-1 2022 | 4-1-1-2 |
| EMEA UK CAP 1850 | A4 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1452 |
| APAC Australia Prudential Standard CPS230 | 50(a) 50(b) 50(c) 50(d) 52 |
| APAC Australia Prudential Standard CPS234 | 21(b) |
| APAC India SEBI CSCRF | GV.OC.S3 GV.SC.S1 GV.SC.S2 |
| APAC Japan ISMAP | 15.1.1.16.B 15.1.2.18.PB |
| APAC New Zealand NZISM 3.6 | 12.7.17.C.01 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 2.3 4.27 |
| Americas Canada ITSP-10-171 | 03.11.01.A 03.17.03.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.
Level 2 — Planned & Tracked
Third-Party Management (TPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Require TSP to follow secure engineering practices as part of a broader Cybersecurity Supply Chain Risk Management (C-SCRM) initiative. o Contain "break clauses" in all TSP contracts to enable penalty-free, early termination of a contract for cause, based on the TSP's cybersecurity and/ or data privacy practices deficiency(ies).
- Third-party management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for third-party management.
- A procurement function maintains a list of all active Third-Party Service Providers (TSP), including pertinent contract information that will assist in a risk assessment.
- A Shared Responsibility Matrix (SRM) is documented for every TSP that directly or indirectly affects sensitive/regulated data.
- Procurement contracts:
Level 3 — Well Defined
Third-Party Management (TPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to third-party management. o Operates the Cybersecurity Supply Chain Risk Management (C-SCRM) program to identify and mitigate supply chain-related risks and threats. o Evaluates risks associated with weaknesses or deficiencies in supply chain elements identified during first and/ or third-party reviews. o Enables the implementation of third-party management controls. o Ensures the Information Assurance Program (IAP) evaluates applicable cybersecurity and data protection controls as part of “business as usual” pre-production testing. o Maintains a list of all active Third-Party Service Providers (TSP), including pertinent contract information that will assist in a risk assessment. o Requires TSP to follow secure engineering practices as part of a broader Cybersecurity Supply Chain Risk Management (C-SCRM) initiative. o Includes "break clauses" in all TSP contracts to enable penalty-free, early termination of a contract for cause, based on the TSP's cybersecurity and/ or data privacy practices deficiency(ies). o Controls changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party. o Requires a risk assessment prior to the acquisition or outsourcing of technology-related services. o Monitors, regularly reviews and audits supplier service delivery for compliance with established contract agreements. o Uses tailored acquisition strategies, contract tools and procurement methods for the purchase of unique systems, system components or services.
- Procurement contracts and layered defenses provide safeguards to limit harm from potential adversaries who identify and target the organization's supply chain.
- A Governance, Risk & Compliance (GRC) function, or similar function;
- A procurement team, or similar function:
- A Shared Responsibility Matrix (SRM) is documented for every TSP that directly or indirectly affects sensitive/regulated data.
Level 4 — Quantitatively Controlled
Third-Party Management (TPM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.
Assessment Objectives
- TPM-02_A01 systems, system components or system services to be analyzed for criticality are defined.
- TPM-02_A02 decision points in the system development life cycle when a criticality analysis is to be performed are defined.
- TPM-02_A03 critical system components and functions are identified by performing a criticality analysis for systems, system components or system services at decision points in the system development life cycle.
- TPM-02_A04 suppliers of critical or mission-essential technologies, products and services are identified.
- TPM-02_A05 suppliers of critical or mission-essential technologies, products and services are prioritized.
- TPM-02_A06 suppliers of critical or mission-essential technologies, products and services are assessed.
Evidence Requirements
- E-TPM-02 Third-Party Criticality Assessment
-
Documented evidence of third-party criticality assessment that evaluates the critical nature of each third-party the organization works with.
Third-Party Management
Technology Recommendations
Micro/Small
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
Small
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
Medium
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
Large
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
Enterprise
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)