TPM-05: Third-Party Contract Requirements
Mechanisms exist to require contractual requirements for cybersecurity and data protection requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).
Control Question: Does the organization require contractual requirements for cybersecurity and data protection requirements with third-parties, reflecting its needs to protect its Technology Assets, Applications, Services and/or Data (TAASD)?
General (48)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC1.1-POF5 CC2.3-POF10 CC2.3-POF11 CC2.3-POF12 CC2.3-POF2 CC2.3-POF6 CC2.3-POF7 CC9.1 CC9.2-POF1 CC9.2-POF10 CC9.2-POF5 CC9.2-POF6 CC9.2-POF9 P6.4-POF3 |
| CIS CSC 8.1 | 15.4 |
| CIS CSC 8.1 IG2 | 15.4 |
| CIS CSC 8.1 IG3 | 15.4 |
| COBIT 2019 | APO10.03 |
| CSA CCM 4 | IPY-04 SEF-02 STA-02 STA-04 STA-09 STA-12 UEM-14 |
| CSA IoT SCF 2 | CLS-04 IMT-01 LGL-05 LGL-06 LGL-07 LGL-08 POL-01 POL-02 SET-04 |
| ISO/SAE 21434 2021 | RQ-06-10 RQ-07-02 RQ-07-03.a RQ-07-03.b RQ-07-03.c RQ-07-04.a RQ-07-04.b RQ-07-04.c RQ-07-04.d RQ-07-04.e RQ-07-04.f RC-07-05 RQ-07-07 |
| ISO 27002 2022 | 5.19 5.20 5.21 5.31 6.6 8.21 8.30 |
| ISO 27017 2015 | 5.1.1 CLD.6.3.1 13.1.2 13.2.4 15.1.2 |
| ISO 27701 2025 | 6.1.3(h) |
| ISO 42001 2023 | A.10.2 A.10.3 |
| MPA Content Security Program 5.1 | OR-3.4 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.F(2) |
| NIST AI 600-1 | GV-6.1-004 GV-6.1-010 GV-6.2-007 |
| NIST Privacy Framework 1.0 | ID.DE-P3 GV.PO-P4 GV.AT-P4 |
| NIST 800-53 R4 | SA-9(3) |
| NIST 800-53 R5 (source) | SR-3(3) |
| NIST 800-53 R5 (NOC) (source) | SA-9(3) |
| NIST 800-161 R1 | SA-9(3) |
| NIST 800-161 R1 Level 1 | SA-9(3) |
| NIST 800-161 R1 Level 2 | SA-9(3) |
| NIST 800-161 R1 Level 3 | SA-9(3) |
| NIST 800-171 R2 (source) | 3.1.1 |
| NIST 800-171 R3 (source) | 03.01.20.b 03.01.20.c.01 03.01.20.c.02 03.07.06.a 03.16.03.a 03.16.03.b 03.16.03.c 03.17.02 03.17.03.b |
| NIST 800-171A R3 (source) | A.03.16.03.ODP[01] A.03.16.03.a |
| NIST 800-218 | PO.1 |
| NIST CSF 2.0 (source) | GV.OC-02 GV.OC-03 GV.SC-02 GV.SC-05 GV.SC-06 |
| PCI DSS 4.0.1 (source) | 8.2.3 12.4.2 12.4.2.1 12.8.2 12.8.5 12.9 12.9.1 12.9.2 |
| PCI DSS 4.0.1 SAQ A (source) | 12.8.2 12.8.5 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 12.8.2 12.8.5 |
| PCI DSS 4.0.1 SAQ B (source) | 12.8.2 12.8.5 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 12.8.2 12.8.5 |
| PCI DSS 4.0.1 SAQ C (source) | 12.8.2 12.8.5 |
| PCI DSS 4.0.1 SAQ C-VT (source) | 12.8.2 12.8.5 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 12.8.2 12.8.5 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 8.2.3 12.4.2 12.4.2.1 12.8.2 12.8.5 12.9.1 12.9.2 |
| PCI DSS 4.0.1 SAQ P2PE (source) | 12.8.2 12.8.5 |
| SWIFT CSF 2023 | 2.8A |
| TISAX ISA 6 | 1.2.4 1.3.3 6.1.1 8.2.1 8.2.2 8.3.1 |
| UL 2900-1 2017 | 12.1 |
| UN R155 | 7.2.2.5 |
| UN ECE WP.29 | 7.2.2.5 |
| SCF CORE Fundamentals | TPM-05 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | TPM-05 |
| SCF CORE ESP Level 1 Foundational | TPM-05 |
| SCF CORE ESP Level 2 Critical Infrastructure | TPM-05 |
| SCF CORE ESP Level 3 Advanced Threats | TPM-05 |
US (27)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | THIRD-PARTIES-2.F.MIL2 |
| US CISA CPG 2022 | 1.G 1.H |
| US CJIS Security Policy 5.9.3 (source) | 5.1.1.2 5.1.1.3 5.1.1.4 5.1.1.5 5.1.1.6 5.1.1.7 5.1.1.8 5.1.4 |
| US CMMC 2.0 Level 1 (source) | AC.L1-B.1.I |
| US CMMC 2.0 Level 2 (source) | AC.L2-3.1.1 |
| US CMMC 2.0 Level 3 (source) | AC.L2-3.1.1 |
| US Data Privacy Framework (DPF) | II.3.a II.3.b II.7.d III.10.a.i III.10.a.ii.1 III.10.a.ii.2 III.10.a.ii.3 III.10.a.iii |
| US DFARS Cybersecurity 252.204-70xx | 252.204-7012(m)(1) 252.204-7012(m)(2)(i) 252.204-7012(m)(2)(ii) 252.204-7019(b) 252.204-7019(c)(1) 252.204-7019(c)(2) 252.204-7020(c) 252.204-7021(b) 252.204-7021(c)(1) 252.204-7021(c)(2) |
| US FAR 52.204-21 | 52.204-21(b)(1)(i) |
| US FAR 52.204-27 | 52.204-27(b) |
| US FCA CRM | 609.930(c)(4) 609.930(c)(5)(ii) |
| US GLBA CFR 314 2023 (source) | 314.4(a) 314.4(a)(1) 314.4(a)(2) 314.4(a)(3) |
| US HHS 45 CFR 155.260 | 155.260(b)(2) 155.260(b)(2)(i) 155.260(b)(2)(ii) 155.260(b)(2)(iii) 155.260(b)(2)(iv) |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(b)(1) 164.308(b)(2) 164.308(b)(3) 164.314(a)(2)(iii) 164.314(b)(1) 164.314(b)(2)(i) 164.314(b)(2)(ii) 164.314(b)(2)(iii) 164.502(a)(4)(i) 164.502(a)(4)(ii) 164.502(e)(1)(i) 164.502(e)(2) 164.504(e)(2)(i) 164.504(e)(2)(i)(A) 164.504(e)(2)(i)(B) 164.504(e)(2)(ii)(J) 164.504(e)(4)(i)(B)(ii)(B)(1) 164.504(e)(4)(i)(B)(ii)(B)(2) 164.504(f)(1)(i) 164.504(f)(2)(i) 164.504(f)(2)(ii) 164.504(f)(2)(ii)(A) 164.504(f)(2)(ii)(B) 164.504(f)(2)(ii)(C) 164.504(f)(2)(ii)(D) 164.504(f)(2)(ii)(E) 164.504(f)(2)(ii)(F) 164.504(f)(2)(ii)(G) 164.504(f)(2)(ii)(H) 164.504(f)(2)(ii)(I) 164.504(f)(2)(ii)(J) 164.504(f)(2)(iii)(A) 164.504(f)(2)(iii)(B) 164.504(f)(2)(iii)(C) 164.504(f)(3)(i) 164.504(f)(3)(ii) 164.504(f)(3)(iii) 164.504(f)(3)(iv) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(b)(1) 164.308(b)(2) 164.308(b)(3) 164.314(a)(2)(iii) 164.314(b)(1) 164.314(b)(2)(i) 164.314(b)(2)(ii) 164.314(b)(2)(iii) |
| US HIPAA HICP Large Practice | 9.L.C |
| US IRS 1075 | 2.C.9 SA-9(3) |
| US SEC Cybersecurity Rule | 17 CFR 229.106(b)(1)(iii) |
| US SSA EIESR 8.0 | 5.11 |
| US - CA CCPA 2025 | 7012(g)(2) 7051(a) 7052(b) 7053(a) 7053(a)(6) 7123(c)(15) 7123(c)(3)(A)(ii) 7123(c)(3)(A)(iii) 7153(a) |
| US - CO Colorado Privacy Act | 6-1-1305(3)(b) 6-1-1305(5) 6-1-1305(5)(a) 6-1-1305(5)(b) 6-1-1305(5)(c) 6-1-1305(5)(d) 6-1-1305(5)(d)(I) 6-1-1305(5)(d)(I)(A) 6-1-1305(5)(d)(I)(B) 6-1-1305(6) |
| US - IL PIPA | 45(a) 45(b) 45(c) 45(d) 50 |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.10(a)(1) 500.10(b) 500.11(a)(1) 500.11(a)(2) 500.11(b) 500.11(b)(1) 500.11(b)(2) 500.11(b)(3) 500.11(b)(4) 500.2(d) |
| US - OR CPA | 6(2)(a) 6(2)(b) 6(2)(c) 6(2)(d) 6(2)(e) 6(2)(f) 6(2)(g) 6(2)(h) |
| US - TX CDPA | 541.104(a) 541.104(b) |
| US - VA CDPA 2025 | 59.1-579.B.5 |
| US - VT Act 171 of 2018 | 2447(b)(6) 2447(b)(6)(A) 2447(b)(6)(B) |
EMEA (20)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.2.3(8) 3.2.3(8)(a) 3.2.3(8)(b) |
| EMEA EU DORA | 28.1(a) 29.2 30.1 30.2 30.2(a) 30.2(b) 30.2(c) 30.2(d) 30.2(e) 30.2(f) 30.2(g) 30.2(h) 30.2(i) 30.3 30.3(a) 30.3(b) 30.3(c) 30.3(d) 30.3(e)(i) 30.3(e)(ii) 30.3(e)(iii) 30.3(e)(iv) 30.3(f)(i) 30.3(f)(i) 30.4 |
| EMEA EU NIS2 | 21.3 |
| EMEA EU NIS2 Annex | 1.2.2 13.1.2(e) 3.3.2 4.3.2(a) 5.1.2 5.1.2(a) 5.1.2(b) 5.1.2(c) 5.1.2(d) 5.1.4 5.1.4(a) 5.1.4(b) 5.1.4(c) 5.1.4(d) 5.1.4(e) 5.1.4(f) 5.1.4(g) 5.1.4(h) 5.1.5 6.2.3 6.2.3 8.1.1 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 9.4 |
| EMEA Germany C5 2020 | HR-06 PI-02 SSO-02 SSO-05 |
| EMEA Israel CDMO 1.0 | 11.1 11.3 11.10 16.2 19.5 22.4 25.17 |
| EMEA Poland | 31 |
| EMEA Qatar PDPPL | 12 |
| EMEA Saudi Arabia CSCC-1 2019 | 4-1-1 4-1-1-1 4-1-1-2 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 4-1-1 4-2-5 |
| EMEA Saudi Arabia ECC-1 2018 | 4-1-2 4-1-2-1 4-1-2-2 4-1-2-3 |
| EMEA Saudi Arabia OTCC-1 2022 | 4-1-1-1 4-1-1-3 |
| EMEA Saudi Arabia PDPL | 8 |
| EMEA Saudi Arabia SACS-002 | TPC-25 |
| EMEA Serbia 87/2018 | 5 11 |
| EMEA South Africa | 20 |
| EMEA Spain 1720/2007 | 20 21 |
| EMEA Spain CCN-STIC 825 | 7.4.1 [OP.EXT.1] |
| EMEA UK DEFSTAN 05-138 | 1401 2323 |
APAC (14)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0072 ISM-1395 ISM-1451 ISM-1569 ISM-1571 ISM-1572 ISM-1573 ISM-1574 ISM-1575 ISM-1738 |
| APAC Australia Prudential Standard CPS230 | 15 54(a) 54(b) 54(c) 54(d) 54(e) 54(f) 54(g) 55(a) 55(b) 55(c) |
| APAC Australia Prudential Standard CPS234 | 16 20 28 |
| APAC China Cybersecurity Law | 36 |
| APAC China Privacy Law | 20 21 38(3) 42 |
| APAC India DPDPA 2023 | 8(7)(b) |
| APAC India SEBI CSCRF | GV.OC.S3 GV.SC.S3 GV.SC.S3 GV.SC.S8 PR.AT.S3 |
| APAC Japan APPI | 22 23(1)(i) 23(1)(ii) 23(1)(iii) 23(1)(iv) 23(2) 23(2)(i) 23(2)(ii) 23(2)(iii) 23(2)(iv) 23(2)(v) 23(2)(vi) 23(2)(vii) 23(2)(viii) 23(3) 23(4) 23(5)(i) 23(5)(ii) 23(5)(iii) 23(6) 23(1) |
| APAC Japan ISMAP | 6.3.P 6.3.1.P 6.3.1.1.PB 13.1.2 13.2.4 15.1.2 15.1.2.18.PB |
| APAC New Zealand HISF 2022 | HHSP09 HHSP36 HHSP72 HML09 HML36 HML72 HMS06 HSUP63 HSUP68 |
| APAC New Zealand HISF Suppliers 2023 | HSUP63 HSUP68 |
| APAC New Zealand NZISM 3.6 | 2.3.30.C.01 23.2.19.C.01 |
| APAC Philippines | 25 43 |
| APAC Singapore MAS TRM 2021 | 3.4.1 3.4.2 3.4.3 |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 2.3 4.26 4.28 |
| Americas Canada ITSP-10-171 | 03.01.20.B 03.01.20.C.01 03.01.20.C.02 03.07.06.A 03.16.03.A 03.16.03.B 03.16.03.C 03.17.02 03.17.03.B |
| Americas Mexico | 21 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to require contractual requirements for cybersecurity and data protection requirements with third-parties, reflecting its needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).
Level 1 — Performed Informally
Third-Party Management (TPM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Third-party management is decentralized.
- IT personnel use an informal process to govern third-party service providers.
Level 2 — Planned & Tracked
Third-Party Management (TPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Require TSP to follow secure engineering practices as part of a broader Cybersecurity Supply Chain Risk Management (C-SCRM) initiative. o Contain "break clauses" in all TSP contracts to enable penalty-free, early termination of a contract for cause, based on the TSP's cybersecurity and/ or data protection practices deficiency(ies).
- Third-party management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for third-party management.
- A procurement function maintains a list of all active Third-Party Service Providers (TSP), including pertinent contract information that will assist in a risk assessment.
- A Shared Responsibility Matrix (SRM) is documented for every TSP that directly or indirectly affects sensitive/regulated data.
- Procurement contracts:
Level 3 — Well Defined
Third-Party Management (TPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to third-party management. o Operates the Cybersecurity Supply Chain Risk Management (C-SCRM) program to identify and mitigate supply chain-related risks and threats. o Evaluates risks associated with weaknesses or deficiencies in supply chain elements identified during first and/ or third-party reviews. o Enables the implementation of third-party management controls. o Ensures the Information Assurance Program (IAP) evaluates applicable cybersecurity and data protection controls as part of “business as usual” pre-production testing. o Maintains a list of all active Third-Party Service Providers (TSP), including pertinent contract information that will assist in a risk assessment. o Requires TSP to follow secure engineering practices as part of a broader Cybersecurity Supply Chain Risk Management (C-SCRM) initiative. o Includes "break clauses" in all TSP contracts to enable penalty-free, early termination of a contract for cause, based on the TSP's cybersecurity and/ or data protection practices deficiency(ies). o Controls changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party. o Requires a risk assessment prior to the acquisition or outsourcing of technology-related services. o Monitors, regularly reviews and audits supplier service delivery for compliance with established contract agreements. o Uses tailored acquisition strategies, contract tools and procurement methods for the purchase of unique systems, system components or services.
- Procurement contracts and layered defenses provide safeguards to limit harm from potential adversaries who identify and target the organization's supply chain.
- A Governance, Risk & Compliance (GRC) function, or similar function;
- A procurement team, or similar function:
- A Shared Responsibility Matrix (SRM) is documented for every TSP that directly or indirectly affects sensitive/regulated data.
Level 4 — Quantitatively Controlled
Third-Party Management (TPM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to require contractual requirements for cybersecurity and data protection requirements with third-parties, reflecting its needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).
Assessment Objectives
- TPM-05_A01 legally-binding contracts are executed to enforce cybersecurity / data privacy requirements by third-parties.
- TPM-05_A02 before sharing sensitive / regulated data, Non-Disclosure Agreements (NDAs) are executed with third parties.
- TPM-05_A03 security requirements to be satisfied by external system service providers are defined.
- TPM-05_A04 the providers of external system services used for the processing, storage, or transmission of sensitive / regulated data comply with organization-defined security requirements.
- TPM-05_A05 the providers of external system services used for the processing, storage, or transmission of CUI comply with the following security requirements: <A.03.16.03.ODP[01]: security requirements>.
Evidence Requirements
- E-RSK-02 Supply Chain Risk Management (SCRM) Plan
-
Documented evidence of a Supply Chain Risk Management (SCRM) Plan. This is program-level documentation in the form of a playbook, concept of operations or a similar format provides guidance on organizational practices that support existing policies and standards.
Risk Management - E-TPM-01 Third-Party Contracts
-
Documented evidence of third-party contractual obligations for cybersecurity & data privacy protections.
Third-Party Management - E-TPM-03 Third-Party Service Reviews
-
Documented evidence of a formal, annual stakeholder review of third-party services for each Third-Party Service Provider (TSP).
Third-Party Management - E-TPM-06 Third-Party Terms & Conditions
-
Documented evidence of terms and conditions for external systems.
Third-Party Management - E-TPM-07 System Connection or Processing Agreements
-
Documented evidence of system connection or processing agreements.
Third-Party Management
Technology Recommendations
Micro/Small
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
- Non-Disclosure Agreements (NDAs)
Small
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
- Non-Disclosure Agreements (NDAs)
Medium
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
- Non-Disclosure Agreements (NDAs)
Large
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
- Non-Disclosure Agreements (NDAs)
Enterprise
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
- Non-Disclosure Agreements (NDAs)