TPM-05.2: Contract Flow-Down Requirements
Mechanisms exist to ensure cybersecurity and data protection requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.
Control Question: Does the organization ensure cybersecurity and data protection requirements are included in contracts that flow-down to applicable sub-contractors and suppliers?
General (20)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.3-POF12 CC9.2-POF1 CC9.2-POF10 CC9.2-POF9 P6.4-POF3 |
| ISO/SAE 21434 2021 | RQ-06-10 RQ-07-02 RQ-07-03.a RQ-07-03.b RQ-07-03.c RQ-07-04.a RQ-07-04.b RQ-07-04.c RQ-07-04.d RQ-07-04.e RQ-07-04.f RC-07-05 RQ-07-07 |
| ISO 27701 2025 | 6.1.3(h) |
| NIST 800-53 R5 (source) | SR-3(3) |
| NIST 800-161 R1 | SR-3(3) |
| NIST 800-161 R1 Flow Down | SR-3(3) |
| NIST 800-161 R1 Level 2 | SR-3(3) |
| NIST 800-161 R1 Level 3 | SR-3(3) |
| NIST 800-171 R2 (source) | 3.1.1 |
| NIST 800-171 R3 (source) | 03.16.03.a 03.16.03.b 03.16.03.c 03.17.02 03.17.03.b |
| NIST 800-171A R3 (source) | A.03.16.03.ODP[01] |
| NIST CSF 2.0 (source) | GV.OC-03 GV.SC-02 GV.SC-05 GV.SC-06 GV.SC-10 |
| SWIFT CSF 2023 | 2.8A |
| TISAX ISA 6 | 6.1.1 |
| UN R155 | 7.2.2.5 |
| UN ECE WP.29 | 7.2.2.5 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | TPM-05.2 |
| SCF CORE ESP Level 1 Foundational | TPM-05.2 |
| SCF CORE ESP Level 2 Critical Infrastructure | TPM-05.2 |
| SCF CORE ESP Level 3 Advanced Threats | TPM-05.2 |
US (14)
| Framework | Mapping Values |
|---|---|
| US CMMC 2.0 Level 1 (source) | AC.L1-B.1.I |
| US CMMC 2.0 Level 2 (source) | AC.L2-3.1.1 |
| US CMMC 2.0 Level 3 (source) | AC.L2-3.1.1 |
| US Data Privacy Framework (DPF) | II.7.d III.10.a.ii.1 III.10.a.ii.2 III.10.a.ii.3 III.10.a.iii |
| US DFARS Cybersecurity 252.204-70xx | 252.204-7012(m)(1) 252.204-7012(m)(2)(i) 252.204-7012(m)(2)(ii) 252.204-7019(b) 252.204-7019(c)(1) 252.204-7019(c)(2) 252.204-7020(c) 252.204-7021(b) 252.204-7021(c)(1) 252.204-7021(c)(2) |
| US FAR 52.204-21 | 52.204-21(b)(1)(i) |
| US FAR 52.204-27 | 52.204-27(b) |
| US HHS 45 CFR 155.260 | 155.260(b)(2)(v) |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(b)(1) 164.308(b)(2) 164.314(a)(2)(i)(B) 164.314(a)(2)(iii) 164.502(e)(1)(ii) 164.504(e)(2)(ii)(D) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(b)(1) 164.308(b)(2) 164.314(a)(2)(i)(B) 164.314(a)(2)(iii) |
| US IRS 1075 | 2.C.9 SR-3(3) |
| US - CA CCPA 2025 | 7051(b) 7052(b) 7053(a) 7123(c)(15) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.10(a)(1) 500.11(a)(1) 500.11(a)(2) 500.11(b) 500.11(b)(1) 500.11(b)(2) 500.11(b)(3) 500.11(b)(4) |
| US - VA CDPA 2025 | 59.1-579.B.5 |
EMEA (8)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.2.3(8) 3.2.3(8)(a) 3.2.3(8)(b) |
| EMEA EU DORA | 29.2 |
| EMEA EU NIS2 | 21.3 |
| EMEA EU NIS2 Annex | 5.1.4(g) |
| EMEA Qatar PDPPL | 12 |
| EMEA Saudi Arabia SACS-002 | TPC-25 |
| EMEA Serbia 87/2018 | 5 11 |
| EMEA UK DEFSTAN 05-138 | 1401 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC India DPDPA 2023 | 8(7)(b) |
| APAC India SEBI CSCRF | GV.SC.S3 GV.SC.S8 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.16.03.A 03.16.03.B 03.16.03.C 03.17.02 03.17.03.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to ensure cybersecurity and data protection requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to ensure cybersecurity and data protection requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.
Level 2 — Planned & Tracked
Third-Party Management (TPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Require TSP to follow secure engineering practices as part of a broader Cybersecurity Supply Chain Risk Management (C-SCRM) initiative. o Contain "break clauses" in all TSP contracts to enable penalty-free, early termination of a contract for cause, based on the TSP's cybersecurity and/ or data protection practices deficiency(ies).
- Third-party management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for third-party management.
- A procurement function maintains a list of all active Third-Party Service Providers (TSP), including pertinent contract information that will assist in a risk assessment.
- A Shared Responsibility Matrix (SRM) is documented for every TSP that directly or indirectly affects sensitive/regulated data.
- Procurement contracts:
Level 3 — Well Defined
Third-Party Management (TPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to third-party management. o Operates the Cybersecurity Supply Chain Risk Management (C-SCRM) program to identify and mitigate supply chain-related risks and threats. o Evaluates risks associated with weaknesses or deficiencies in supply chain elements identified during first and/ or third-party reviews. o Enables the implementation of third-party management controls. o Ensures the Information Assurance Program (IAP) evaluates applicable cybersecurity and data protection controls as part of “business as usual” pre-production testing. o Maintains a list of all active Third-Party Service Providers (TSP), including pertinent contract information that will assist in a risk assessment. o Requires TSP to follow secure engineering practices as part of a broader Cybersecurity Supply Chain Risk Management (C-SCRM) initiative. o Includes "break clauses" in all TSP contracts to enable penalty-free, early termination of a contract for cause, based on the TSP's cybersecurity and/ or data protection practices deficiency(ies). o Controls changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party. o Requires a risk assessment prior to the acquisition or outsourcing of technology-related services. o Monitors, regularly reviews and audits supplier service delivery for compliance with established contract agreements. o Uses tailored acquisition strategies, contract tools and procurement methods for the purchase of unique systems, system components or services.
- Procurement contracts and layered defenses provide safeguards to limit harm from potential adversaries who identify and target the organization's supply chain.
- A Governance, Risk & Compliance (GRC) function, or similar function;
- A procurement team, or similar function:
- A Shared Responsibility Matrix (SRM) is documented for every TSP that directly or indirectly affects sensitive/regulated data.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure cybersecurity and data protection requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure cybersecurity and data protection requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.
Assessment Objectives
- TPM-05.2_A01 the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.
- TPM-05.2_A02 security requirements to be satisfied by external system service providers are defined.
Evidence Requirements
- E-RSK-02 Supply Chain Risk Management (SCRM) Plan
-
Documented evidence of a Supply Chain Risk Management (SCRM) Plan. This is program-level documentation in the form of a playbook, concept of operations or a similar format provides guidance on organizational practices that support existing policies and standards.
Risk Management
Technology Recommendations
Micro/Small
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
Small
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
Medium
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
Large
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls
Enterprise
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
- Data Protection Impact Assessment (DPIA)
- Third-party contract requirements for cybersecurity controls