Third-Party Risk Management Guide

Third-Party Risk Management Guide:
The Cybersecurity Framework

Compliance Handbook
Table of Contents
Cybersecurity Frameworks Focusing on Third-Party Risk................................. 3
CIS Critical Security Controls 15 and 17............................................................. 4
Consensus Assessments Initiative Questionnaire (CAIQ)................................ 14
Cybersecurity Maturity Model Certification (CMMC)....................................... 16
Executive Order on Improving the Nation’s Cybersecurity ............................... 22
ISO 27001, 27002 & 27036-2 ........................................................................... 26
NCSC Supply Chain Cyber Security Guidance.................................................. 53
NIST SP 800-53, SP 800-161 and CSF.............................................................. 62
Payment Card Industry Data Security Standard (PCI DSS)............................... 85
SEC Cybersecurity Disclosure Rules ................................................................ 88
Standard Information Gathering (SIG) Questionnaire ...................................... 97
System and Organization Control (SOC) 2 ....................................................... 98
How Prevalent Can Help....................................................................................... 106
About Prevalent ................................................................................................... 107
2
Cybersecurity Frameworks
Focusing on Third-Party Risk
As businesses continue to diversify and globalize,
organizations looking to focus squarely on core business
functions are turning to third parties to fulfill specialized
services, such as web hosting, payments processing, and
cloud services. Although this provides significant benefits,
this extended ecosystem is nonetheless rife with escalating
threats to data privacy, security, and company reputation.
Data breaches and cybersecurity risks are impacting companies
at an alarming rate, with the software supply chain at the center of
many targeted attacks. In the face of growing threats, regulators
and governing bodies are taking notice. An increase in third-party
regulations, along with the accompanying scrutiny from auditors,
has obligated organizations to develop effective third-party risk
management programs to meet compliance mandates and deepen their
IT security controls.
Complying with TPRM Regulations, Guidelines and Standards

Regardless of your industry, corporate compliance and reporting is an essential part of everyday operations.
Ensuring internal adherence to regulations, guidance, and industry standards is complex and challenging
at best (especially when you rely on spreadsheets). Tack on compliance mandates related to third parties,
vendors, business associates, and supply chain partners, and the burden of managing data risk takes an
entirely new trajectory.
To comply with regulations, guidelines and standards in this paper, your organization should adopt a third-
party risk management (TPRM) program. This includes a multi-step approach where you:
1. Set the rules of third-party engagement based on your organization’s risk tolerance and data security
and privacy policies
2. Include these rules, as well as auditing requirements, in all third-party contracts
3. Evaluate third parties via questionnaire-based risk assessments
4. Measure performance against contractual service level agreements
5. Continuously monitor third parties to verify compliance
6. Remediate deficiencies
In the following pages, we’ll review key third-party risk management requirements noted in major
cybersecurity frameworks. We’ll then map the capabilities of the Prevalent Third-Party Risk Management
Platform to each relevant requirement. This will illustrate how a unified solution can enable you to achieve
compliance while mitigating third-party cybersecurity risks.
3
The Center for Internet Security (CIS)
Critical Security Controls
The Center for Internet Security® (CIS) Critical Security Controls are a
commonly used set of 18 best practices recommendations supported
by 153 sub-controls (called Safeguards) meant to help IT security
teams reduce the impact of a cybersecurity incident. CIS describes the
controls as a “prescriptive, prioritized, highly focused set of actions
that have a community support network to make them implementable,
usable, scalable, and in alignment with all industry or government
security requirements.”
Currently on version 8, the 18 CIS Controls and 153 supporting Safeguards are further ordered into three
Implementation Groups (IGs) to help organizations prioritize the implementation of key Safeguards:
• IG1 includes Safeguards considered “essential cyber hygiene” by CIS and “should be implementable
with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks”
• IG2 includes Safeguards aimed at teams dealing with increased operational complexity
• IG3 includes Safeguards meant to address sophisticated cyberattacks
CIS further classifies each Safeguard by NIST security function to simplify cross-mapping with each core
NIST function: Identify, Detect, Protect, Respond and Recover.
This section examines the third-party risk management Safeguards specified in Control 15: Service Provider
Management and Control 17: Incident Response Management, and includes capabilities available in the
Prevalent Third-Party Risk Management Platform that can speed and simplify their implementation.
Meeting Requirements in Critical Security Controls 15 and 17

Please see the table on the following pages for a summary of the third-party risk management requirements
in CIS Critical Security Control 15: Service Provider Management and Control 17: Incident Response
Management and for information on how Prevalent can help your organization address these requirements.
Each Safeguard also references the appropriate Implementation Group (IG) and NIST security function.
Please note: The below table reviews Critical Security Control 15 and applicable Safeguards in Control 17. For a complete
review of all 18 CIS Controls, please contact your auditor or reference the full CIS Critical Security Controls guide.
Numbers of Safeguards in CIS Controls 15 and 17 that applicable to each Implementation Group
Source: https://www.cisecurity.org/controls/implementation-groups/ig3
4
Control 15: Service Provider Management
“Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and
data appropriately.”
Safeguard How Prevalent Helps
15.1 Establish and Maintain an Prevalent enables organizations to build a centralized service
Inventory of Service Providers provider inventory by importing vendors via a spreadsheet
template or through an API connection to an existing
Security function: Identify
procurement solution. Teams throughout the enterprise
IG1,2,3 can populate key supplier details with a centralized and
customizable intake form and associated workflow. This is
“Establish and maintain an inventory available to everyone via email invitation, without requiring any
of service providers. The inventory training or solution expertise.
is to list all known service providers,
include classification(s), and designate As all service providers are being centralized, teams can create
an enterprise contact for each service comprehensive vendor profiles that contain insight into a
provider. Review and update the vendor’s demographic information, 4th-party technologies,
inventory annually, or when significant ESG scores, recent business and reputational insights, data
enterprise changes occur that could breach history, and recent financial performance.
impact this Safeguard.”
15.2 Establish and Maintain a Service Prevalent partners with you to build a comprehensive third-
Provider Management Policy party risk management (TPRM) program based on proven best
practices and extensive real-world experience.
Our experts collaborate with your team on defining and
IG2,3
implementing TPRM processes and solutions; selecting risk
“Establish and maintain a service assessment questionnaires and frameworks; and optimizing your
provider management policy. Ensure program to address the entire third-party risk lifecycle – from
the policy addresses the classification, sourcing and due diligence, to termination and offboarding.
inventory, assessment, monitoring, and
As part of this process, Prevalent can help you define:
decommissioning of service providers.
Review and update the policy annually, • Clear roles and responsibilities (e.g., RACI)
or when significant enterprise changes
• Third-party inventories
occur that could impact this Safeguard.”
• Vendor classification and categorization
• Risk scoring and thresholds based on your organization’s

risk tolerance
5
CIS Controls Checklist
(continued from previous page)
• Assessment and monitoring methodologies based on third-

party criticality
• Fourth-party mapping
• Sources of continuous monitoring data (cyber, business,

reputational, financial)
• Key performance indicators (KPIs) and key risk

indicators (KRIs)
• Governing policies, standards, systems and processes to

protect data
• Compliance and contractual reporting requirements against

service levels
• Incident response requirements
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies
15.3 Classify Service Providers Prevalent offers a pre-contract due diligence assessment
with clear scoring based on eight criteria to capture, track and
quantify inherent risks for all third parties. Criteria includes:
IG1,2,3
• Type of content required to validate controls
“Classify service providers.
• Criticality to business performance and operations
Classification consideration may
include one or more characteristics, • Location(s) and related legal or regulatory considerations
such as data sensitivity, data volume,
• Level of reliance on fourth parties (to avoid concentration risk)
availability requirements, applicable
regulations, inherent risk, and • Exposure to operational or client-facing processes
mitigated risk. Update and review
classifications annually, or when • Interaction with protected data
significant enterprise changes occur
• Financial status and health
that could impact this Safeguard.”
• Reputation
6
From this inherent risk assessment, your team can

automatically classify and tier suppliers; set appropriate
levels of further diligence; and determine the scope of
ongoing assessments.
Rule-based tiering logic enables vendor categorization using

a range of data interaction, financial, regulatory and
reputational considerations.
15.4 Ensure Service Provider Prevalent centralizes the distribution, discussion, retention and
Contracts Include Security review of vendor contracts and offers workflow capabilities to
Requirements automate the contract lifecycle from onboarding to offboarding.
This ensures that key security requirements are built into the
Security function: Protect
vendor contract, agreed upon, and enforced throughout the
IG1,2,3 relationship with key performance indicators (KPIs).
“Ensure service provider contracts Key capabilities include:

include security requirements.
• Centralized tracking of all contracts and contract attributes
Example requirements may
such as type, key dates, value, reminders and status – with
include minimum security program
customized, role-based views
requirements, security incident
and/or data breach notification • Workflow capabilities (based on user or contract type) to
and response, data encryption automate the contract management lifecycle
requirements, and data disposal
• Automated reminders and overdue notices to streamline
commitments. These security
contract reviews
requirements must be consistent
with the enterprise’s service provider • Centralized contract discussion and comment tracking
management policy. Review service
provider contracts annually to ensure • Contract and document storage with role-based
contracts are not missing security permissions and audit trails of all access
requirements.”
• Version control tracking that supports offline contract and
document edits
• Role-based permissions that enable allocation of duties,

access to contracts, and read/write/modify access
7
15.5 Assess Service Providers Prevalent automates risk assessments to extend the visibility,
efficiency and scale of your third-party risk management
program across every stage of the third-party lifecycle.
IG3
With a library of 200+ standardized assessments – including
“Assess service providers consistent for PCI – customization capabilities, and built-in workflow and
with the enterprise’s service provider remediation, the solution automates everything from survey
management policy. Assessment scope collection and analysis to risk rating and reporting.
may vary based on classification(s),
With Prevalent, you can easily gather and correlate intelligence
and may include review of standardized
on a wide range of vendor controls to determine threats to
assessment reports, such as Service
information management, based on the criticality of the third
Organization Control 2 (SOC 2)
party as determined by the inherent risk assessment.
and Payment Card Industry (PCI)
Attestation of Compliance (AoC), Results of assessments and continuous monitoring are collated
customized questionnaires, or other in a single risk register with heat map reporting that measures
appropriately rigorous processes. and categorizes risks based on likelihood and impact. With
Reassess service providers annually, this insight, teams can easily see the consequences of a risk
at a minimum, or with new and and have ready-made remediation recommendations for third
renewed contracts.” parties to mitigate the risks.
For third parties that submit a SOC 2 report instead of a

completed vendor risk assessment, Prevalent reviews the list
of control gaps identified within the SOC 2 report, creates risk
items against the third party within the Platform, and tracks and
reports against deficiencies.
15.6 Monitor Service Providers Data Prevalent continuously tracks and analyzes external threats
to third parties. The solution monitors the Internet and
Security function: Detect
dark web for cyber threats and vulnerabilities, as well as
IG3 public and private sources of reputational, sanctions and
financial information.
“Monitor service providers consistent
with the enterprise’s service provider Monitoring sources include:
management policy. Monitoring
• 1,500+ criminal forums; thousands of onion pages; 80+
may include periodic reassessment
dark web special access forums; 65+ threat feeds; and
of service provider compliance,
50+ paste sites for leaked credentials — as well as several
monitoring service provider release
security communities, code repositories, and vulnerability
notes, and dark web monitoring.”
databases covering 550,000 companies
• A database containing 10+ years of data breach history for

thousands of companies around the world
8
Because not all threats are direct cyberattacks, Prevalent also

incorporates data from the following sources to add context into
cyber findings:
• 550,000 public and private sources of reputational

information, including M&A activity, business news,
negative news, regulatory and legal information, operational
updates, and more
• A global network of 2 million businesses with 5 years

of organizational changes and financial performance,
including turnover, profit and loss, shareholder funds, etc.
• 30,000 global news sources
• A database containing over 1.8 million politically exposed

person profiles
• Global sanctions lists and over 1,000 global enforcement

lists and court filings
All monitoring data is correlated with assessment results

and centralized in a unified risk register for each vendor,
streamlining risk review, reporting and response initiatives.
15.7 Securely Decommission Service The Prevalent Platform automates contract assessments and
Providers Data offboarding procedures to reduce your organization’s risk of
post-contract exposure.
Security function: Protect
• Schedule tasks to review contracts to ensure all obligations
IG3
have been met. Issue customizable contract assessments
“Securely decommission service to evaluate status.
providers. Example considerations
• Leverage customizable surveys and workflows report on
include user and service account
system access, data destruction, access management,
deactivation, termination of data
compliance with all relevant laws, final payments, and more.
flows, and secure disposal of
enterprise data within service • Centrally store and manage documents and certifications,
provider systems.” such as NDAs, SLAs, SOWs and contracts. Leverage built-
in automated document analysis based on AWS natural
language processing and machine learning analytics to
confirm key criteria are addressed.
9
• Take actionable steps to reduce vendor risk with built-in

remediation recommendations and guidance.
• Visualize and address compliance requirements by

automatically mapping assessment results to any
regulation or framework.
Control 17: Incident Response Management

“Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures,
defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.”
17.1 Designate Personnel to Manage Prevalent enables your team to rapidly identify, respond
Incident Handing to, report on, and mitigate the impact of third-party vendor
incidents by centrally managing vendors, conducting event
Security function: Respond
assessments, scoring identified risks, correlating against
IG1,2,3 continuous cyber monitoring, and accessing remediation
guidance. Key capabilities include:
“Designate one key person, and at
least one backup, who will manage • Continuously updated and customizable event and incident
the enterprise’s incident handling management questionnaires
process. Management personnel are
• Real-time questionnaire completion progress tracking
responsible for the coordination and
documentation of incident response • Defined risk owners with automated chasing reminders to
and recovery efforts and can consist of keep surveys on schedule
employees internal to the enterprise,
• Proactively vendor reporting
third-party vendors, or a hybrid
approach. If using a third-party vendor, • Consolidated views of risk ratings, counts, scores, and
designate at least one person internal flagged responses for each vendor
to the enterprise to oversee any third-
party work. Review annually, or when • Workflow rules to trigger automated playbooks to act on
significant enterprise changes occur risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to
reduce risk
• Built-in report templates
10
17.2 Establish and Maintain (continued from previous page)

Contact Information for Reporting
• Data and relationship mapping to identify relationships
Security Incidents
between your organization and third parties to visualize
Security function: Respond information paths and determine at-risk data
IG1,2,3 By centralizing third-party incident response in a single system

guided by a single enterprise incident management process,
“Establish and maintain contact
IT, security, legal, privacy, and compliance teams can work in
information for parties that need to
unison to mitigate risks.
be informed of security incidents.
Contacts may include internal staff,
third-party vendors, law enforcement,
cyber insurance providers, relevant
government agencies, Information
Sharing and Analysis Center (ISAC)
partners, or other stakeholders. Verify
contacts annually to ensure that
information is up-to-date.”
17.3 Establish and Maintain an

Enterprise Process for Reporting
Incidents
IG1,2,3
“Establish and maintain an enterprise

process for the workforce to report
security incidents. The process
includes reporting timeframe,
personnel to report to, mechanism
for reporting, and the minimum
information to be reported. Ensure the
process is publicly available to all of the
workforce. Review annually, or when
significant enterprise changes occur
11
17.4 Establish and Maintain an Incident (see previous pages)

Response Process
IG2,3
“Establish and maintain an incident

response process that addresses roles and
responsibilities, compliance requirements, and
a communication plan. Review annually, or when
significant enterprise changes occur that could
impact this Safeguard.
17.5 Assign Key Roles and Responsibilities
IG2,3
“Assign key roles and responsibilities for

incident response, including staff from legal, IT,
information security, facilities, public relations,
human resources, incident responders, and
analysts, as applicable. Review annually, or when
significant enterprise changes occur that could
impact this Safeguard.”
17.6 Define Mechanisms for Communicating

During Incident Response
IG2,3
“Determine which primary and secondary

mechanisms will be used to communicate and
report during a security incident. Mechanisms
can include phone calls, emails, or letters. Keep
in mind that certain mechanisms, such as emails,
can be affected during a security incident. Review
annually, or when significant enterprise changes
occur that could impact this Safeguard.”
12
The Prevalent Difference
CIS Controls Compliance
The increasing pervasiveness of third-party cyber-attacks is driving organizations to scrutinize their vendors’
and suppliers’ IT and data privacy controls. Security frameworks such as the CIS Critical Controls can help
provide structure and best practices recommendations. However, using spreadsheets and other manual
methods to collect, analyze, remediate and report on controls is labor-intensive and ineffective.
Prevalent offers a central, automated platform for scaling third-party risk management in concert with your
broader cybersecurity risk management program. With Prevalent, your IT security team can:
• Build a centralized service provider inventory with comprehensive

risk profiles that can be accessed by multiple teams throughout
the enterprise
• Gauge inherent risk to inform service provider profiling, tiering and

categorization – and determine the appropriate scope and frequency of
ongoing due diligence activities
• Centralize the distribution, discussion, retention and review of vendor

contracts to ensure that key security requirements are included, agreed
upon, and enforced with key performance indicators (KPIs)
• Automate risk assessments and remediation across every stage of

the third-party lifecycle
• Continuously track and analyze external threats to third parties

by monitoring the Internet and dark web for cyber threats
and vulnerabilities
• Automate contract assessments and offboarding procedures to reduce

your organization’s risk of post-contract exposure
The Prevalent platform includes built-in CIS Critical Controls questionnaires, backed by managed services and
a network of pre-completed assessments.
To discuss how Prevalent can help you address the requirements in CIS Critical Controls 15 and 17, request
a demo today.
13
The Cloud Security Alliance (CSA) Consensus
Assessments Initiative Questionnaire (CAIQ)
This brief chapter addresses the CSA’s questionnaire for assessing security controls
in infrastructure-as-a-service, platform-as-a-service and software-as-a service
applications. While organizations are not required by law to abide by the results of a CAIQ
audit, the CAIQ assessment is widely utilized by organizations looking for a standard
approach to evaluating the security controls of a cloud provider.
About the CAIQ

The Cloud Security Alliance (CSA) Consensus Assessments
Initiative Questionnaire (CAIQ) provides a set of questions across
16 control domains that the CSA recommends should be asked of CAIQ assessments are available
a cloud provider, for example those that offer IaaS, PaaS or SaaS in two formats:
applications. The CAIQ was developed to create a commonly
accepted industry standard to document security controls, and 1. The full CAIQ survey captures
therefore provides questions that can then be used for cloud the 16 control domains across
provider selection and security evaluation. As of the writing of this 295 questions.
section, the current CSA CAIQ standard is v4.0.1. 2. The CAIQ-Lite survey captures
The CAIQ contains a series of 295 yes or no questions that can the same 16 control domains
be customized to fit an individual cloud customer’s need. The at a reduced scope, with 73
questionnaire is designed to support organizations when they questions.
interact with cloud providers during the cloud providers’ assessment This approach enables organizations
process by giving organizations specific questions to ask about to select the model that best fits
the providers operations and processes. As well, cloud providers their needs for assessing their cloud
can use the CAIQ to outline their security capabilities and security service providers.
posture in a standardized way using the terms and descriptions
considered to be best practices by the CSA.
Meeting CAIQ Guidance for Third-Party Risk Management

Prevalent has created two surveys, one representing the full CAIQ, and the other CAIQ-Lite. The full CAIQ
survey has been split into individual control groups representing the 16 control domains. This is to allow for
customization of the survey to suit the needs to individual customers dependent on their appetite for their
assessing cloud providers. The Prevalent approach to hosting both questionnaires in our Third-Party Risk
Management Platform has several benefits:
• Simpler reporting: Results of CAIQ assessments are aligned to core security standards, including NIST,
ISO 27001, CoBiT 5, so that by using the Prevalent Platform you can address multiple cloud security
reporting requirements in a single assessment.
• Tiered assessments: Questionnaires are customizable to suit the requirements of each cloud customer,
with CAIQ-Lite beneficial for cloud service providers deemed “low risk” (for example based on
accessibility to sensitive data).
• Faster turnaround: The reduced question set in CAIQ-Lite allows for a quicker turnaround time for
assessment completion, speeding time to resolution and focusing your team on remediating risks.
14
CAIQ Compliance
CSA standards require robust management and tracking of third-party
risk. Prevalent can help address the requirements in the CAIQ by:
• Automating the end-to-end process of collecting and analyzing

CAIQ surveys, speeding and simplifying assessments,
compliance, and due diligence review.
• Deliver clear reporting beyond a score, tying risks to business

outcomes and helping to make better risk-based decisions, prove
compliance, and prioritize resources.
• Meet industry standards and ensure third-party risk management

regulatory compliance targets for cyber risk, InfoSec, and data privacy.
• Centralize TPRM functions, delivering a single view that provides

single repository for effective reporting to satisfy audit and
compliance requirements.
• Utilize a consistent, repeatable, proven methodology, enabling a

scalable, more mature vendor risk management program.
As your organization seeks to migrate more workloads to the cloud, assessing third parties will be essential.
Prevalent can help by centralizing vendor assessments across a range of requirements.
To discuss how Prevalent can help you address the requirements in the CAIQ, request a demo today.
15
US Department of Defense Cybersecurity Maturity
Model Certification (CMMC)
In November 2021, the Office of the Under Secretary of Defense for Acquisition and
Sustainment in the United States Department of Defense (DoD) released v2.0 of the
Cybersecurity Maturity Model Certification (CMMC), a comprehensive framework to protect
the defense industrial base from increasingly frequent and complex cyberattacks. Version
2.0 greatly simplifies the model by streamlining certification levels from five (5) to three (3),
eliminating proprietary maturity layers, and adjusting assessment responsibilities.
CMMC requires companies to achieve certification against cybersecurity and controlled unclassified information
(CUI) handling best practices, with that certification eventually determining whether a company can be awarded
a contract by the DoD. Meant to help small businesses demonstrate cybersecurity protections more easily and
cost-effectively, CMMC aims to ensure that our entire national defense supply chain is secure and resilient.
All DoD suppliers will eventually be required to be certified at one of three levels, from Level 1 (Foundational)
to Level 3 (Expert). This represents a change from version 1.0 that featured five certification levels. Version
2.0 certification levels are derived from the basic safeguarding requirements for Federal Contract Information
(FCI) specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for
controlled unclassified information (CUI) specified in the National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-171 Rev 2 per Defense Federal Acquisition Regulation Supplement (DFARS)
Clause 252.204-7012 and additional controls from NIST SP 800-172 Enhanced Security Requirements for
Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.
• Level 1 – Self-assessment performed by the supplier

against 17 controls. This level of certification is considered
foundational and for suppliers managing FCI that is not critical
to national security. This certification level is unchanged from
version 1.0, originally announced in January 2020.
• Level 2 – A more advanced level of certification performed by

third-party auditors (known as C3PAOs, or certified third-
party audit organizations) against an additional 110 controls
in the NIST SP 800-171 standard. This level is considered for
companies that have controlled unclassified information (CUI).
In some cases organizations can perform a self-assessment at
this level.
• Level 3 – Considered an expert level for the highest-priority

DoD suppliers, this level builds on Level 2 by adding a subset
of NIST SP 800-172 controls on top. The federal government
Overview of the CMMC 2.0 Model
will conduct the audits for companies at this level.
Source: https://dodcio.defense.gov/CMMC/Model/
Meeting CMMC Requirements

Please see the table below for a summary of the CMMC requirements by level, organized by NIST SP
800-171 Relevant Security Controls. The Prevalent Third-Party Risk Management Platform has built-in
questionnaires for each level, enabling auditors to assess their clients, and suppliers to assess themselves
and their suppliers for compliance against each level.
16
CMMC Checklist
Cybersecurity Maturity Model Certification (CMMC)

NIST 800-171r2 Relevant Security Controls by Level of Certification
Domain Level 1 (17 Controls) Level 2 (+110 Controls) Level 3
Access Control 3.1.1 Authorized Access 3.1.3 Control CUI Flow Information on
Control Level 3 will be
3.1.4 Separation of Duties released at a
3.1.2 Transaction & later date and will
Function Control 3.1.5 Least Privilege
contain a subset
3.1.6 Non-Privileged Account Use of the security
3.1.20 External
requirements
Connections
3.1.7 Privileged Functions specified in NIST SP
3.1.22 Control Public 800-172.
3.1.8 Unsuccessful Logon Attempts
Information
3.1.9 Privacy & Security Notices
3.1.10 Session Lock
3.1.11 Session Termination
3.1.12 Control Remote Access
3.1.13 Remote Access Configurability
3.1.14 Remote Access Routing
3.1.15 Privileged Remote Access
3.1.16 Wireless Access Authorization
3.1.17 Wireless Access Protection
3.1.18 Mobile Device Connection
3.1.19 Encrypt CUI on Mobile
3.1.21 Portable Storage Use
Awareness and 3.2.1 Role-Based Risk Awareness

Training
3.2.2 Roles-Based Training
3.2.3 Insider Threat Awareness
17
CMMC Checklist
Audit and 3.1.1 Authorized Access 3.3.1 System Auditing Information on Level
Accountability Control 3 will be released
3.3.2 User Accountability at a later date and
3.1.2 Transaction & will contain a subset
Function Control 3.3.3 Event Review
of the security
3.3.4 Audit Failure Alerting requirements
3.1.20 External
specified in NIST SP
Connections
3.3.5 Audit Correlation 800-172.
3.1.22 Control Public
3.3.6 Reduction & Reporting
Information
3.3.7 Authoritative Time Source
3.3.8 Audit Protection
3.3.9 Audit Management
Configuration 3.4.1 System Baselining

Management
3.4.2 Security Configuration Enforcement
3.4.3 System Change Management
3.4.4 Security Impact Analysis
3.4.5 Access Restrictions for Change
3.4.6 Least Functionality
3.4.7 Nonessential Functionality
3.4.8 Application Execution Policy
3.4.9 User-Installed Software
Identification & 3.5.1 Identification 3.5.3 Multi-factor Authentication

Authentication
3.5.2 Authentication 3.5.4 Replay-Resistant Authentication
3.5.5 Identifier Reuse
3.5.6 Identifier Handling
3.5.7 Password Complexity
3.5.8 Password Re-use
3.5.9 Temporary Passwords
3.5.10 Cryptographically-Protected
Passwords
3.5.11 Obscure Feedback
18
CMMC Checklist
Incident 3.6.1 Incident Handling Information on Level

Response 3 will be released
3.6.2 Incident Reporting at a later date and
will contain a subset
3.6.3 Incident Response Testing
of the security
requirements
Maintenance 3.7.1 Perform Maintenance specified in NIST SP
800-172.
3.7.2 System Maintenance Control
3.7.3 Equipment Sanitization
3.7.4 Media Inspection
3.7.5 Nonlocal Maintenance
3.7.6 Maintenance Personnel
Media 3.8.3 Media Disposal 3.8.1 Media Protection

Protection
3.8.2 Media Access
3.8.4 Media Markings
3.8.5 Media Accountability
3.8.6 Portable Storage Encryption
3.8.7 Removable Media
3.8.8 Shared Media
3.8.9 Protect Backups
Personnel 3.9.1 Screen Individuals

Security
3.9.2 Personnel Actions
Physical 3.10.1 Limit Physical 3.10.2 Monitor Facility

Protection Access
3.10.6 Alternative Work Sites
3.10.3 Escort Visitors
3.10.4 Physical Access

Logs
3.10.5 Manage Physical

Access
19
CMMC Checklist
Risk 3.11.1 Risk Assessments Information on Level

Assessment 3 will be released
3.11.2 Vulnerability Scan at a later date and
will contain a subset
3.11.3 Vulnerability Remediation
of the security
requirements
specified in NIST SP
Security 3.12.1 Security Control Assessment
800-172.
Assessment
3.12.2 Plan of Action
3.12.3 Security Control Monitoring
3.12.4 System Security Plan
System and 3.13.1 Boundary 3.13.2 Security Engineering

Communications Protection
Protection 3.13.3 Role Separation
3.13.5 Public-Access
System Separation 3.13.4 Shared Resource Control
3.13.6 Network Communication by

Exception
3.13.7 Split Tunneling
3.13.8 Data in Transit
3.13.9 Connections Termination
3.13.10 Key Management
3.13.11 CUI Encryption
3.13.12 Collaborative Device Control
3.13.13 Mobile Code
3.13.14 Voice over Internet Protocol
3.13.15 Communications Authenticity
3.13.16 Data at Rest
System and 3.14.1 Flaw Remediation 3.14.3 Security Alerts & Advisories
Information
Integrity 3.14.2 Malicious Code 3.14.6 Monitor Communications for
Protection Attacks
3.14.4 Update Malicious 3.14.7 Identify Unauthorized Use

Code Protection
3.14.5 System & File

Scanning
20
CMMC Compliance
The Prevalent Third-Party Risk Management Platform has built-in questionnaires for Level 1 and Level 2, enabling
suppliers to assess themselves and auditors to assess their clients against each level. When Level 3 certification
requirements have been published, Prevalent will add the appropriate questionnaire to the Platform.
C3PAOs can: Any DoD supplier can conduct a Level 1

or Level 2 self-assessment to:
• Invite clients into the Prevalent Platform to
complete their standardized Level 2 control • Assess themselves against the 17 controls
assessment in an easy-to-use, secure tenant required to measure Level 1 compliance
• Automate chasing reminders to suppliers • Assess themselves against the 110 controls
or clients to reduce the time required to required to measure Level 2 compliance
complete assessments
• Upload documentation and evidence to support
• Centralize supporting documents submitted answers to questions
as evidence of the presence of controls
• Gain visibility into current compliance status
• View a single register of risks raised
• Leverage built-in remediation guidance to
depending on how the client or supplier
address shortcomings
responds to the questions
• Produce reporting to measure compliance
• Issue remediation recommendations for
for auditors
failed controls
• Deliver customized reporting on the current level

of compliance, demonstrating the risk-reducing
impact of the application of future controls
To discuss how Prevalent can help you address the CMMC requirements, request a demo today.
21
Executive Order 14028 on Improving the
Nation’s Cybersecurity
On May 12, 2021, President Biden signed the Executive Order 14028 on Improving the
Nation’s Cybersecurity. Developed in the wake of the highly damaging SolarWinds Orion
software supply chain breach, the Order directs several US Federal Government agencies
to better coordinate in preventing, detecting, responding to and mitigating security
incidents and breaches by:
• Removing barriers to sharing threat information
• Modernizing Federal Government cybersecurity technologies and practices
• Enhancing software supply chain security
• Establishing and standardizing the Federal Government’s playbook for vulnerabilities and
incident response
• Improving the detection of cybersecurity vulnerabilities and incidents on Federal Government networks
• Improving the Federal Government’s investigative and remediation capabilities
This Executive Order (EO) builds on previous cybersecurity-related EOs and requires agencies to establish
uniform standards based on NIST, with enforcement beginning in May 2022.
Since this EO introduces several new third-party risk management requirements for Federal agencies to
implement, this post focuses on Section 4. Enhancing Software Supply Chain Security. If software suppliers
are not able to meet these requirements, they will be removed from the Federal Government’s Acquisition
Regulation – meaning they can no longer sell to the government.
How TPRM Applies to the Executive Order

Critical Federal Government IT systems have long been the target of nation
state attacks. Malicious actors know that the easiest, least secure path into
Federal systems is often through third-party services and software. Third-
party providers may not have the processes or controls necessary to detect
malicious activity or code, and they can potentially expose a wide range of
sensitive information.
Third-party risk management technologies and processes can help to

address guidelines in the Executive Order that require organizations
to evaluate and report on software security. The EO criteria include
assessments of developer and supplier security controls, as well as
documentation that demonstrates adherence to secure practices.
The table on the following pages summarizes some of the most important
third-party risk management requirements addressed in the EO, along with
Prevalent’s recommended capabilities to assess supplier practices.
22
Executive Order 14028 Checklist
Executive Order 14028

Improving the Nation’s Cybersecurity
Guidance How Prevalent Helps
4 (e) (i) (A)-(F) When assessing third-party software security

practices, take advantage of existing industry-
Such guidance shall include standards, procedures, or accepted standardized risk assessment questionnaire
criteria regarding: templates including the Standard Information
Gathering (SIG), NIST, CMMC, and related
(i) secure software development environments,
assessments built into the Prevalent TPRM Platform.
including such actions as:
Utilizing a single standardized assessment across
(A) using administratively separate build environments; your supplier base ensures that agencies can more
efficiently compare the software security practices of
(B) auditing trust relationships; their suppliers.
(C) establishing multi-factor, risk-based authentication Note: Agencies can also take advantage of the
and conditional access across the enterprise; Prevalent Vendor Risk Networks, which contain
completed security risk assessments to accelerate the
(D) documenting and minimizing dependencies on risk identification process.
enterprise products that are part of the environments
used to develop, build, and edit software;
(E) employing encryption for data; and
(F) monitoring operations and alerts and responding to

attempted and actual cyber incidents;
4 (e) (ii) When assessing a third party’s secure software

development practices, leverage Prevalent’s capability
(ii) generating and, when requested by a purchaser, to centralize supporting evidence in the Platform
providing artifacts that demonstrate conformance with built-in task and acceptance management, plus
to the processes set forth in subsection (e)(i) of mandatory upload features. A secure document
this section; repository ensures that relevant parties can review
documentation and artifacts accordingly.
4 (e) (iii) See 4 (e) (i) (A)-(F) above.
(iii) employing automated tools, or comparable

processes, to maintain trusted source code supply
chains, thereby ensuring the integrity of the code;
4 (e) (iv) Third parties must scan, triage and remediate

vulnerabilities in their software and code, and attest
(iv) employing automated tools, or comparable to it. But threats don’t end there. Security teams
processes, that check for known and potential should also monitor the Internet and dark web for
vulnerabilities and remediate them, which shall operate cyber threats, leaked credentials, or other indicators
regularly, or at a minimum prior to product, version, or of compromise that can open pathways into Federal
update release; systems if left undetected. Prevalent Vendor Threat
Monitor combines feeds directly into the Prevalent
Platform to ensure organizations have a complete
view of risks – whether revealed during a periodic
assessment or through continuous monitoring.
23
Executive Order 14028 Checklist
Executive Order 14028

Improving the Nation’s Cybersecurity
Guidance Recommended Capabilities
4 (e) (v) The Prevalent TPRM Platform reveals risk trends,

status, remediations, and exceptions to common
(v) providing, when requested by a purchaser, artifacts behavior for individual suppliers or groups with
of the execution of the tools and processes described in embedded machine learning insights. This enables
subsection (e)(iii) and (iv) of this section, and making teams to quickly identify outliers across assessments,
publicly available summary information on completion tasks, risks, etc. that could warrant further
of these actions, to include a summary description of investigation.
the risks assessed and mitigated;
4 (e) (vi) Prevalent automatically maps information gathered

from internal audits to standards or regulatory
(vi) maintaining accurate and up-to-date data, frameworks applicable in this EO – including NIST,
provenance (i.e., origin) of software code or CMMC and others – to quickly visualize and address
components, and controls on internal and third-party important control deficiencies and attest to practices.
software components, tools, and services present
in software development processes, and performing
audits and enforcement of these controls on a
recurring basis;
4 (e) (vii) See 4 (e) (i) (A)-(F) above.
(vii) providing a purchaser a Software Bill of Materials

(SBOM) for each product directly or by publishing it on
a public website;
4 (e) (viii) See 4 (e) (i) (A)-(F) above.
(viii) participating in a vulnerability disclosure program

that includes a reporting and disclosure process;
4 (e) (ix) See 4 (e) (ii) above.
(ix) attesting to conformity with secure software

development practices; and
4 (e) (x) See 4 (e) (vi) above.
(x) ensuring and attesting, to the extent practicable, to

the integrity and provenance of open source software
used within any portion of a product.
24
The Executive Order on Improving the Nation’s Cybersecurity
As the requirements outlined in the Executive Order on Improving
the Nation’s Cybersecurity take shape, now is the time for IT software
companies to build or mature their own third-party risk management
programs. Key considerations should include:
• Identifying which suppliers are considered critical, and focusing

assessment efforts on those that present the most inherent risk to
your operations
• Regularly assessing the secure software development lifecycle

practices of key third parties that contribute code or updates to
your final builds
• Continuously monitoring the dark web, hacker chatter and other

related forums for activity related to your third parties
• Triaging and remediating assessment and monitoring findings
• Centralizing documentation and reporting for auditors
Prevalent automates the critical tasks required to identify, assess,

analyze, remediate and continuously monitor third-party security, privacy,
operational, compliance and procurement-related risks across every stage
of the vendor lifecycle.
To discuss how Prevalent can help you address requirements in Executive Order 14028,
request a demo today.
25
ISO 27001, 27002 and 27036-2
The International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) assemble experts from 165 countries to share
knowledge and develop voluntary, consensus-based standards to solve global challenges.
Organizations pursue ISO certifications to benefit from best practice guidance, align with
global frameworks, and signal to customers and partners that they adhere to accepted
standards. ISO standards therefore provide the foundation for many compliance regimes.
This section examines supply chain security controls
and guidance in the above ISO standards and identifies
capabilities in the Prevalent Third-Party Risk Management
Platform that can be used to meet ISO requirements for
stronger supply chain security. For simplification, all Several ISO cybersecurity and
standards are abbreviated as ISO [number]. data privacy standards address
third-party risks, including:
ISO 27001 and IS0 27002

• ISO/IEC 27001:2022 Information
ISO 27001 provides a framework for establishing, security, cybersecurity and
implementing, maintaining, and continually improving privacy protection — Information
information security management systems. It also outlines security management systems —
a systematic approach to securely managing sensitive Requirements
company information.
• ISO/IEC 27002:2022 Information
ISO 27002 is a supplementary standard that provides advice security, cybersecurity and
on how to implement the security controls listed in Annex A privacy protection — Information
of ISO 27001. It helps organizations identify what they need to security controls
meet these requirements. Together, ISO 27001 and 27002 are the
foundation of most ISO standards related to cybersecurity. • ISO/IEC 27036-2:2022
Cybersecurity — Supplier
With respect to managing information security in supplier
relationships — Part 2:
relationships, Section 15 of ISO 27001 and ISO 27002
Requirements
summarizes the requirements for securely dealing with
various types of third parties. Using a top down, risk-based
approach, the specification provides the following guidance
for managing suppliers:
• Create an information security policy for supplier relationships that outlines specific policies and
procedures and mandates specific controls be in place to manage risk
• Establish contractual supplier agreements for any third party that may access, process, store,
communicate or provide IT infrastructure to an organization’s data
• Include requirements to address the information security risks associated with information and
communications technology services and product supply chain
• Monitor, review and audit supplier service delivery
• Manage changes to the supplier services, considering re-assessment of risks
26
ISO 27036-2
ISO 27036-2 specifies fundamental information security requirements for defining, implementing, operating,
monitoring, reviewing, maintaining and improving supplier and acquirer relationships. This standard is
particularly relevant for third-party risk management, as the requirements cover the procurement and
supply of products and services.
Clauses 6 and 7 in ISO 27036-2 define fundamental and high-level information security requirements applicable
to managing each stage of the supplier relationship lifecycle.
The next section of this checklist identifies key third-party risk management guidance published in the ISO
standards. It also describes capabilities in the Prevalent Platform that can help address the requirements.
Mapping Prevalent Capabilities to ISO Standards

The summary table below maps capabilities in the Prevalent Third-Party Risk Management Platform to
select third-party, vendor and supplier controls present in ISO 27001, ISO 27002 and ISO 27036-2.
NOTE: This table should not be considered definitive guidance. For a complete list of controls, please review
the complete ISO standards in detail and consult your auditor.
Table 1. Prevalent Mappings to ISO 27001 Security Standards

This table summarizes select supplier relationship controls most applicable to third-party risk management
among the 93 identified in ISO 27001.
ISO 27001 Controls How Prevalent Helps
5 Organizational Controls
5.1 Policies for information Prevalent partners with you to build a comprehensive third-party risk
security management (TPRM) program in line with your broader information
security, cybersecurity and privacy protection programs based on
“Information security policy
proven best practices and extensive real-world experience.
and topic-specific policies
shall be defined, approved Our experts collaborate with your team on defining and implementing
by management, published, TPRM processes and solutions; selecting risk assessment
communicated to and questionnaires and frameworks; and optimizing your program to
acknowledged by relevant address the entire third-party risk lifecycle – from sourcing and
personnel and relevant interested due diligence, to termination and offboarding – according to your
parties, and reviewed at planned organization’s risk appetite.
intervals and if significant
changes occur.”
27
ISO 27001 Checklist
5.2 Information security roles (continued from previous page)

and responsibilities
“Information security roles and • Clear roles and responsibilities (e.g., RACI)
responsibilities shall be defined
and allocated according to the
organization needs.” • Risk scoring and thresholds based on your organization’s
risk tolerance
• Assessment and monitoring methodologies based on
third-party criticality
• Key performance indicators (KPIs) and key risk indicators (KRIs)
protect data
service levels
5.7 Threat intelligence Prevalent continuously tracks and analyzes external threats to third
parties. The solution monitors the Internet and dark web for cyber
“Information relating to
threats and vulnerabilities, as well as public and private sources of
information security threats shall
reputational, sanctions and financial information.
be collected and analysed to
produce threat intelligence.” Monitoring sources include:
• 1,500+ criminal forums; thousands of onion pages; 80+ dark web

special access forums; 65+ threat feeds; and 50+ paste sites for
leaked credentials — as well as several security communities,
code repositories, and vulnerability databases covering
550,000 companies
All monitoring data is correlated with assessment results and

centralized in a unified risk register for each vendor, streamlining risk
review, reporting and response initiatives.
28
ISO 27001 Checklist
5.11 Return of assets When a termination or exit is required for critical services, Prevalent
leverages customizable surveys and workflows to report on system
“Personnel and other interested
access, data destruction, access management, compliance with
parties as appropriate shall return
relevant laws, final payments, and more. The solution also suggests
all the organization’s assets in
actions based on answers to offboarding assessments and routes
their possession upon change or
tasks to reviewers as necessary.
termination of their employment,
contract or agreement.”
5.19 Information security in Prevalent offers a library of more than 200 pre-built templates,
supplier relationships including dedicated ISO questionnaires, for assessing the information
security risks associated with third-parties.
“Processes and procedures shall
be defined and implemented to Assessments are centrally managed in the Prevalent Platform. They are
manage the information security backed by workflow, task management and automated evidence review
risks associated with the use of to enable visibility into risks throughout the supplier relationship.
supplier’s products or services.”
Importantly, Prevalent delivers built-in remediation recommendations
based on risk assessment results to ensure that third parties address
risks in a timely and satisfactory manner.
For organizations with limited resources and expertise, Prevalent can

manage the third-party risk lifecycle on your behalf – from onboarding
suppliers and collecting evidence, to providing remediation guidance and
reporting on contract SLAs. As a result, you reduce vendor risk and
simplify compliance without burdening internal staff.
5.20 Addressing Prevalent centralizes the distribution, discussion, retention and

information security within review of supplier contracts. It also offers workflow capabilities to
supplier agreements automate the contract lifecycle from onboarding to offboarding. Key
capabilities include:
“Relevant information
security requirements shall be • Central tracking of contracts and contract attributes (e.g., type, key
established and agreed with each dates, value, reminders and status) with custom, role-based views
supplier based on the type of • Workflow capabilities (based on user or contract type) to
supplier relationship.” automate the contract management lifecycle
• Automated reminders and overdue notices to speed contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and
audit trails of all access
document edits
• Role-based permissions that enable allocation of duties, access
to contracts, and read/write/modify access
29
ISO 27001 Checklist
5.21 Managing information Prevalent standardizes assessments against ISO best practices and
security in the information and other information security control frameworks, providing internal
communication technology audit and IT security teams with a central platform for measuring
(ICT) supply chain and demonstrating adherence to secure software development and
software development lifecycle (SDLC) practices.
“Processes and procedures
shall be defined and implemented
to manage the information
security risks associated with
the ICT products and services
supply chain.”
5.22 Monitoring, review Prevalent continuously tracks and analyzes external threats to third
and change management of parties. The solution monitors the Internet and dark web for cyber
supplier services threats and vulnerabilities, as well as public and private sources of
reputational, sanctions and financial information.
“The organization shall regularly
monitor, review, evaluate and Monitoring sources include:
manage change in supplier
• 1,500+ criminal forums; thousands of onion pages; 80+ dark web
information security practices and
service delivery.”
leaked credentials — as well as several security communities,
code repositories, and vulnerability databases covering
550,000 companies

All monitoring data is correlated with assessment results and

centralized in a unified risk register for each vendor, streamlining risk
review, reporting and response initiatives.
5.23 Information security for Prevalent standardizes assessments against SOC 2, Cyber Essentials,
use of cloud services ISO, and other information security control frameworks, providing key
controls assessments against cloud services requirements.
“Processes for acquisition,
use, management and exit These same assessments are also used to assess information security
from cloud services shall be controls when offboarding cloud services.
established in accordance with
the organization’s information
security requirements.”
30
ISO 27001 Checklist
5.24 Information security Prevalent enables your team to rapidly identify, respond to, report on,
incident management planning and mitigate the impact of third-party vendor incidents by centrally
and preparation managing vendors, conducting event assessments, scoring identified
risks, correlating against continuous cyber monitoring, and accessing
“The organization shall plan and
remediation guidance.
prepare for managing information
security incidents by defining, Key capabilities include:
establishing and communicating
• Continuously updated and customizable event and incident
information security incident
management questionnaires
management processes, roles
and responsibilities.” • Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep

5.25 Assessment and decision
surveys on schedule
on information security events
“The organization shall assess
information security events • Consolidated views of risk ratings, counts, scores, and flagged
and decide if they are to be responses for each vendor
categorized as information
security incidents.” • Workflow rules to trigger automated playbooks to act on risks
according to their potential impact to the business
5.26 Response to information • Guidance from built-in remediation recommendations to

security incidents reduce risk
“Information security • Built-in report templates

incidents shall be responded • Data and relationship mapping to identify relationships between
to in accordance with the your organization and third parties to visualize information paths
documented procedures.” and determine at-risk data
5.28 Collection of evidence
“The organization shall establish

and implement procedures for
the identification, collection,
acquisition and preservation of
evidence related to information
security events.”
31
ISO 27001 Checklist
5.30 ICT readiness for Prevalent automates the assessment, continuous monitoring,
business continuity analysis, and remediation of third-party business resilience and
continuity – while automatically mapping results to ISO and other
“ICT readiness shall be planned,
control frameworks.
implemented, maintained
and tested based on business To complement business resilience assessments and validate
continuity objectives and ICT results, Prevalent:
continuity requirements.”
• Automates continuous cyber monitoring that may predict
possible third-party business impacts
• Accesses qualitative insights from over 550,000 public and

private sources of reputational information that could signal
vendor instability
• Taps into financial information from a global network of

2 million businesses to identify vendor financial health
or operational concerns
This proactive approach enables your organization to minimize

the impact of third-party disruptions and stay on top of
The Prevalent Platform includes a comprehensive business resilience

assessment based on ISO 22301 standard practices that enables
organizations to:
• Categorize suppliers according to their risk profile and criticality

to the business
• Outline recovery point objectives (RPOs) and recovery time

objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts, and

third parties
• Ensure consistent communications with suppliers during

business disruptions
32
ISO 27001 Checklist
5.31 Legal, statutory, regulatory Prevalent centralizes the distribution, discussion, retention, and
and contractual requirements review of supplier contracts. It also offers workflow capabilities to
automate the contract lifecycle from onboarding to offboarding. Key
“Legal, statutory, regulatory and
contractual requirements relevant
to information security and the • Centralized tracking of all contracts and contract attributes
organization’s approach to meet such as type, key dates, value, reminders, and status – with
these requirements shall be customized, role-based views
identified, documented and kept • Workflow capabilities (based on user or contract type) to
up to date.” automate the contract management lifecycle
• Automated reminders and overdue notices to speed contract reviews
document edits
5.34 Privacy and protection Prevalent delivers a centralized, collaborative platform for
of personal identifiable conducting privacy assessments and mitigating both third-party
information (PII) and internal privacy risks. Key data security and privacy assessment
“The organization shall identify
and meet the requirements • Scheduled assessments and relationship mapping to reveal where
regarding the preservation of personal data exists, where it is shared, and who has access – all
privacy and protection of PII summarized in a risk register that highlights critical exposures
according to applicable laws • Privacy Impact Assessments to uncover at-risk business data and
and regulations and contractual personally identifiable information (PII)
requirements.”
• Vendor assessments against GDPR and other privacy regulations
via the Prevalent Compliance Framework (PCF) – reveals
potential hot spots by mapping identified risks to specific controls
• GDPR risk and response mapping to controls. Includes percent-
compliance ratings and stakeholder-specific reports.
thousands of companies – includes types and quantities of stolen
data; compliance and regulatory issues; and real-time vendor
data breach notifications
• Centralized onboarding, distribution, discussion, retention,
and review of vendor contracts – ensures that data protection
provisions are enforced from the beginning of the relationship
33
5.36 Compliance with policies, With Prevalent, auditors can establish a program to efficiently
rules and standards for achieve and demonstrate compliance. The solution automates third-
information security party risk management compliance auditing by collecting vendor
risk information, quantifying risks, recommending remediations,
“Compliance with the
and generating reports for dozens of government regulations and
organization’s information
industry frameworks.
security policy, topic-specific
policies, rules and standards shall Prevalent automatically maps information gathered from control-
be regularly reviewed.” based assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG,
SIG Lite, SOX, NYDFS, and other regulatory frameworks, enabling you
to quickly visualize and address important compliance requirements.
Table 2. Prevalent Mappings to ISO 27002 Security Standards for

Supplier Relationships
This table provides greater detail into the supplier relationship controls reviewed in ISO 27001 5.19-5.22.
5.19 Information security in supplier relationships
“Processes and procedures should be defined and implemented to manage the information security risks
associated with the use of supplier’s products or services.”
5.19 a) “identifying and The Prevalent Platform enables organizations to automatically tier
documenting the types of suppliers according to their inherent risk scores, set appropriate
suppliers (e.g. ICT services, levels of diligence, and determine the scope of ongoing assessments.
logistics, utilities, financial
Organizations can also categorize vendors with rule-based logic
services, ICT infrastructure
based on a range of data interaction, financial, regulatory and
components) which can affect
the confidentiality, integrity
and availability of the
organization’s information;”
5.19 e) “defining the types of

ICT infrastructure components
and services provided by
suppliers which can affect
the confidentiality, integrity
and availability of the
organization’s information;”
34
ISO 27002 Checklist
5.19 b) “establishing how to Prevalent centralizes and automates the distribution, comparison,
evaluate and select suppliers and management of requests for proposals (RFPs) and requests for
according to the sensitivity information (RFIs) as part of vendor selection decisions.
of information, products and
Prevalent moves each selected vendor into contracting and/or
services (e.g. with market
onboarding due diligence phases, automatically progressing the
analysis, customer references,
vendor through the third-party lifecycle.
review of documents, onsite
assessments, certifications);” Prevalent features a library of more than 200 pre-built templates
for ongoing third-party risk assessments. These are integrated with
native cyber, business, reputational, and financial risk monitoring
capabilities, which continuously validate assessment findings and fill
gaps between assessments.
Built-in remediation recommendations ensure that third parties

address risks in a timely and satisfactory manner.
5.19 c) “evaluating and selecting The Prevalent Risk Profiling Snapshot enables you to compare
supplier’s products or services and monitor demographics, fourth-party technologies, ESG
that have adequate information scores, recent business and reputational insights, data breach
security controls and reviewing history, and financial performance of potential vendors. With the
them; in particular, accuracy Snapshot, you can see results in line with RFx responses for a holistic
and completeness of controls view of suppliers – their fit for purpose and fit according to your
implemented by the supplier organization’s risk appetite.
that ensure integrity of the
supplier’s information and
information processing and
hence the organization’s
information security;”
5.19 g) “monitoring compliance With Prevalent, auditors can establish a program to efficiently
with established information achieve and demonstrate compliance. The solution automates third-
security requirements for each party risk management compliance auditing by collecting vendor
type of supplier and type of risk information, quantifying risks, recommending remediations,
access, including third-party and generating reports for dozens of government regulations and
review and product validation;” industry frameworks.
Prevalent automatically maps information gathered from control-

5.19 h) mitigating non- based assessments to ISO and other regulatory frameworks and
compliance of a supplier, whether validates it with continuous monitoring, enabling you to quickly
this was detected through visualize and address important compliance requirements.
monitoring or by other means;
35
ISO 27002 Checklist
5.19 i) “handling incidents and The Prevalent Third-Party Incident Response Service enables you
contingencies associated with to rapidly identify and mitigate the impact supply chain breaches by
supplier products and services centrally managing vendors, conducting event assessments, scoring
including responsibilities of both identified risks, and accessing remediation guidance.
the organization and suppliers;”
5.19 j) “resilience and, if Prevalent automates the assessment, continuous monitoring,

necessary, recovery and analysis, and remediation of third-party business resilience and
contingency measures to continuity – while automatically mapping results to ISO and other
ensure the availability of the control frameworks.
supplier’s information and
To complement business resilience assessments and validate
information processing and
results, Prevalent:
hence the availability of the
organization’s information;” • Automates continuous cyber monitoring that may predict

vendor instability
• Taps into financial information from a global network

of 2 million businesses to identify vendor financial
health or operational concerns


assessment based on ISO 22301 standard practices that enables
organizations to:
• Categorize suppliers according to their risk profile and criticality

to the business

objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts, and

third parties

business disruptions.
36
ISO 27002 Checklist
5.19 m) “requirements to ensure a The Prevalent Platform automates contract assessments and
secure termination of the supplier offboarding procedures to reduce your organization’s risk of post-
relationship, including: contract exposure.
1) de-provisioning of access rights; • Schedule tasks to review contracts to ensure all obligations have been
2) information handling; met. Issue customizable contract assessments to evaluate status.
3) determining ownership of • Leverage customizable surveys and workflows report on system

intellectual property developed access, data destruction, access management, compliance with
during the engagement; all relevant laws, final payments, and more.
4) information portability in case of • Centrally store and manage documents and certifications, such as
change of supplier or insourcing; NDAs, SLAs, SOWs and contracts. Leverage built-in automated
document analysis based on AWS natural language processing and
6) records management;
machine learning analytics to confirm key criteria are addressed.
7) return of assets;
8) secure disposal of information remediation recommendations and guidance.
and other associated assets;
• Visualize and address compliance requirements by automatically
9) ongoing confidentiality mapping assessment results to any regulation or framework.
requirements”
5.20 Addressing security within supplier agreements
“Relevant information security requirements should be established and agreed with each supplier based on
the type of supplier relationship.”
5.20 d) “legal, statutory, Prevalent centralizes the distribution, discussion, retention, and
regulatory and contractual review of vendor contracts, ensuring that key provisions are included
requirements, including data in supplier contracts and continually tracked. Key capabilities include:
protection, handling of personally
• Centralized tracking of all contracts and contract attributes
identifiable information (PII),
such as type, key dates, value, reminders, and status – with
intellectual property rights and
customized, role-based views
copyright and a description of
how it will be ensured that they • Workflow capabilities (based on user or contract type) to
are met;” automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
document edits
37
ISO 27002 Checklist
5.20 e) “obligation of each The Prevalent solution enables internal, control-based assessments
contractual party to implement an (based on the ISO industry standard framework and/or custom
agreed set of controls, including questionnaires). The platform includes built-in workflow capabilities
access control, performance that enable assessors to interact efficiently with third parties during
review, monitoring, reporting the due diligence collection and review periods. Robust reporting and
and auditing, and the supplier’s audit capabilities give each level of management the information it
obligations to comply with needs to properly review the third party’s performance.
the organization’s information Organizations can assess third parties against cybersecurity, SLA
security requirements;” performance, and other topics, and correlate findings with the results
of continuous outside monitoring for a complete view of risks.
5.20 h) “information security Prevalent provides a framework for centrally measuring third-party
requirements regarding the KPIs and KRIs against your requirements and reducing gaps in
supplier’s ICT infrastructure; in vendor oversight with embedded machine learning (ML) insights and
particular, minimum information customizable, role-based reports.
security requirements for each
The capabilities can help your team to uncover risk and performance
type of information and type of
trends, determine third-party risk status, and identify exceptions to
access to serve as the basis for
common behavior that could warrant further investigation.
individual supplier agreements
based on the organization’s Built-in remediation recommendations ensure that third parties
business needs and risk criteria;” address risks in a timely and satisfactory manner.
5.20 i) “indemnities and

remediation for failure of
contractor to meet requirements;”
5.20 j) “incident management Prevalent enables your team to rapidly identify, respond to, report on,
requirements and procedures and mitigate the impact of third-party vendor security incidents as
(especially notification and part of your broader incident management strategy.
collaboration during incident
Armed with these insights, your team can better understand the
remediation);”
scope and impact of the incident; what data was involved; whether the
third party’s operations were impacted; and when remediations have
been completed – all by leveraging Prevalent experts.
38
ISO 27002 Checklist
5.20 l) “relevant provisions for sub- Prevalent can identify fourth-party and Nth-party
contracting, including the controls subcontracting relationships by conducting a questionnaire-
that need to be implemented, such as based assessment or by passively scanning the third party’s
agreement on the use of sub-suppliers public-facing infrastructure. The resulting relationship map
(e.g. requiring to have them under depicts information paths and dependencies that could expose
the same obligations of the supplier, your environment to risk.
requiring to have a list of sub-suppliers
Suppliers discovered through this process are continuously
and notification before any change);”
monitored to identify financial, ESG, cyber, business, and data
breach risks, as well as for sanctions/PEP screening.
This approach provides insights to address potential

technology or geographic concentration risk.
5.20 o) “the evidence and assurance The Prevalent Controls Validation Service reviews third-party
mechanisms of third-party attestations assessment responses and documentation against established
for relevant information security testing protocols to validate that indicated controls are in place.
requirements related to the supplier
Prevalent experts first review assessment responses, whether
processes and an independent report
from custom or standardized questionnaires. We then map
on effectiveness of controls;”
the responses to ISO and/or other control frameworks. Finally,
we work with you to develop remediation plans and track
5.20 q) “supplier’s obligation to them to completion. With remote and onsite options available,
periodically deliver a report on the Prevalent delivers the expertise to help you reduce risk with
effectiveness of controls and agreement your existing resources.
on timely correction of relevant issues
raised in the report;”
5.20 x) “termination clauses upon Prevalent contract lifecycle management capabilities ensure
conclusion of the agreement including that key provisions are included in supplier contracts and
records management, return of assets, continually tracked. Automated contract assessments and
secure disposal of information and other offboarding procedures such as reporting on system access,
associated assets, and any ongoing data destruction, access management, compliance with all
confidentiality obligations;” relevant laws, and final payments reduce your organization’s
risk of post-contract exposure.
5.20 y) provision of a method of

securely destroying the organization’s
information stored by the supplier as
soon as it is no longer required;”
5.20 z) ensuring, at the end of the

contract, handover support to another
supplier or to the organization itself;”
39
ISO 27002 Checklist
5.21 Managing information security in the ICT supply chain
“Processes and procedures should be defined and implemented to manage the information security risks
associated with the ICT products and services supply chain.”
5.21 b) “requiring that ICT services Prevalent can identify fourth-party and Nth-party
suppliers propagate the organization’s subcontracting relationships by conducting a questionnaire-
security requirements throughout the based assessment or by passively scanning the third party’s
supply chain if they sub-contract for public-facing infrastructure. The resulting relationship map
parts of the ICT service provided to depicts information paths and dependencies that could expose
the organization;” your environment to risk.

5.21 c) “requiring that ICT products monitored to identify financial, ESG, cyber, business, and data
suppliers propagate appropriate breach risks, as well as for sanctions/PEP screening.
security practices throughout the
supply chain if these products include This approach provides insights to address potential
components purchased or acquired technology or geographic concentration risk.
from other suppliers or other entities
(e.g. sub-contracted software developers
and hardware component providers);”
5.21 f) “implementing a monitoring

process and acceptable methods for
validating that delivered ICT products
and services comply with stated security
requirements. Examples of such supplier
review methods can include penetration
testing and proof or validation of third-
party attestations for the supplier’s
information security operations;”
5.21 g) “implementing a process for Prevalent enables you to assess and monitor third parties based
identifying and documenting product on criticality or the extent of threats to their information assets by
or service components that are critical capturing, tracking and quantifying inherent risks. Criteria used
for maintaining functionality and to calculate inherent risk for third-party classification includes:
therefore require increased attention,
• Type of content required to validate controls
scrutiny and further follow up required
when built outside of the organization • Criticality to business performance and operations
especially if the supplier outsources
aspects of product or service • Location(s) and related legal or regulatory considerations
components to other suppliers;”
40
ISO 27002 Checklist
(continued)

• Exposure to operational or client-facing processes
• Interaction with protected data
• Reputation

automatically tier suppliers; set appropriate levels of further
diligence; and determine the scope of ongoing assessments.

5.22 Monitoring, review and change management of supplier services
“The organization should regularly monitor, review, evaluate and manage change in supplier information
security practices and service delivery.”
5.22 a) “monitor service With the Prevalent Platform, organizations can customize
performance levels to verify surveys to make it easy to gather and analyze necessary
compliance with agreements;” performance and contract data in a single risk register. Prevalent
identifies key contract attributes relating to SLAs or performance,
populates those requirements in the Platform, and assigns tasks
to you and your third party for tracking purposes.
5.22 b) “monitor changes made by Prevalent continuously tracks and analyzes external threats to
suppliers including: third parties. The solution monitors the Internet and dark web
for cyber threats and vulnerabilities, as well as public and private
1) enhancements to the current
sources of reputational, sanctions and financial information.
services offered;
All monitoring data is correlated with assessment results
2) development of any new applications
and centralized in a unified risk register for each vendor,
and systems;
streamlining risk review, reporting and response initiatives.
3) modifications or updates of the Monitoring sources include:
supplier’s policies and procedures;
4) new or changed controls to resolve dark web special access forums; 65+ threat feeds; and
information security incidents and to 50+ paste sites for leaked credentials — as well as several
improve information security;” security communities, code repositories, and vulnerability
41
ISO 27002 Checklist
5.22 c) “monitor changes in supplier (continued)

services including: • A database containing 10+ years of data breach history for
1) changes and enhancement to thousands of companies around the world
networks; Because not all threats are direct cyberattacks, Prevalent also
2) use of new technologies; incorporates data from the following sources to add context into
cyber findings:
3) adoption of new products or newer
versions or releases; • 550,000 public and private sources of reputational
4) new development tools and negative news, regulatory and legal information, operational
environments; updates, and more
5) changes to physical location of • A global network of 2 million businesses with 5 years

service facilities; of organizational changes and financial performance,
6) change of sub-suppliers;
7) sub-contracting to another supplier;” • A database containing over 1.8 million politically exposed
person profiles
5.22 e) “conduct audits of suppliers The Prevalent Controls Validation Service reviews third-party
and sub-suppliers, in conjunction assessment responses and documentation against established
with review of independent auditor’s testing protocols to validate that indicated controls are in place.
reports, if available and follow-up on
Prevalent experts first review assessment responses, whether
issues identified;”
from custom or standardized questionnaires. We then map
the responses to ISO and/or other control frameworks. Finally,
we work with you to develop remediation plans and track
them to completion. With remote and onsite options available,
Prevalent delivers the expertise to help you reduce risk with
your existing resources.
5.22 f) “provide information about Prevalent enables your team to rapidly identify, respond
information security incidents and to, report on, and mitigate the impact of third-party vendor
review this information as required by incidents by centrally managing vendors, conducting event
the agreements and any supporting assessments, scoring identified risks, correlating against
guidelines and procedures;” continuous cyber monitoring, and accessing remediation
guidance. Key capabilities include:

management questionnaires
42
ISO 27002 Checklist
5.22 g) “review supplier audit trails and (continued)

records of information security events, • Real-time questionnaire completion progress tracking
operational problems, failures, tracing
• Defined risk owners with automated chasing reminders to
of faults and disruptions related to the
keep surveys on schedule
service delivered;”
• Consolidated views of risk ratings, counts, scores, and
flagged responses for each vendor
• Workflow rules to trigger automated playbooks to act on
risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to
5.22 h) “respond to and manage any
reduce risk
identified information security events
or incidents;” • Built-in report templates
• Data and relationship mapping to identify relationships
between your organization and third parties to visualize
information paths and determine at-risk data
5.22 i) “identify information security Prevalent continuously tracks and analyzes external threats to
vulnerabilities and manage them;” third parties. The solution monitors the Internet and dark web
for cyber threats and vulnerabilities, correlating monitoring
data with assessment results and centralized in a unified risk
register for each vendor, streamlining risk review, reporting and
response initiatives. Monitoring sources include:

5.22 j) “review information security Prevalent can identify fourth-party and Nth-party
aspects of the supplier’s relationships subcontracting relationships by conducting a questionnaire-
with its own suppliers” based assessment or by passively scanning the third party’s
public-facing infrastructure. The resulting relationship map
depicts information paths and dependencies that could expose
your environment to risk.

monitored to identify financial, ESG, cyber, business, and data
breach risks, as well as for sanctions/PEP screening.
43
ISO 27002 Checklist
5.22 k) “ensure that the supplier Prevalent automates the assessment, continuous monitoring,
maintains sufficient service capability analysis, and remediation of third-party business resilience and
together with workable plans designed continuity – while automatically mapping results to ISO and
to ensure that agreed service continuity other control frameworks.
levels are maintained following major
The Prevalent Platform includes a comprehensive business
service failures or disaster;”
resilience assessment based on ISO 22301 standard practices
that enables organizations to:
• Categorize suppliers according to their risk profile and

criticality to the business

objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts,

and third parties


5.22 m) “evaluate regularly that Prevalent automates risk assessments to extend the visibility,
the suppliers maintain adequate efficiency and scale of your third-party risk management
information security levels;” program across every stage of the third-party lifecycle.
With a library of 200+ standardized assessments,

customization capabilities, and built-in workflow and
remediation, the solution automates everything from survey
collection and analysis to risk rating and reporting.

Results of assessments and continuous monitoring are collated

in a single risk register with heat map reporting that measures
and categorizes risks based on likelihood and impact. With
this insight, teams can easily see the consequences of a risk
and have ready-made remediation recommendations for third
parties to mitigate the risks.
44
Table 3. Prevalent Mappings to ISO 27036-2 Security Standards
Although the entire ISO 27036-2 standard is applicable for supplier relationships, this table highlights only
the most prominent controls.
ISO 27036-2 Controls How Prevalent Helps
6 Information security in supplier relationship management
6.1.1.1 Agreement processes / Prevalent partners with you to build a comprehensive third-
Acquisition process / Objective party risk management (TPRM) program in line with your
broader information security and governance, risk and
Establish a supplier relationship
compliance programs based on proven best practices and
strategy that:
extensive real-world experience.
• is based on the information security
Our experts collaborate with your team on defining and
risk tolerance of the acquirer;
implementing TPRM processes and solutions; selecting risk
• defines the information security assessment questionnaires and frameworks; and optimizing
foundation to use when planning, your program to address the entire third-party risk lifecycle –
preparing, managing and from sourcing and due diligence, to termination and offboarding
terminating the procurement of a – according to your organization’s risk appetite.
product or service.
• Clear roles and responsibilities (e.g., RACI)

6.1.2.1 Agreement processes / Supply
process / Objective • Third-party inventories
• Risk scoring and thresholds based on your organization’s
Establish an acquirer relationship
risk tolerance
strategy that:
• Assessment and monitoring methodologies based on third-
• is based on the information security party criticality
risk tolerance of the supplier;
• defines the information security • Sources of continuous monitoring data (cyber, business,
baseline to use when planning, reputational, financial)
preparing, managing and
• Key performance indicators (KPIs) and key risk
terminating the supply of a product
indicators (KRIs)
or service.
protect data
service levels
45
ISO 270036-2 Checklist
6.2.1 Organizational project- Prevalent helps to eliminate the security and compliance
enabling processes / Life cycle model exposures that come from working with vendors, suppliers
management process and other third parties across the entire vendor risk lifecycle
– from sourcing and selection to offboarding and everything
a) The acquirer and the supplier
in between.
shall establish the life cycle model
management process when
managing information security in
supplier relationships.
6.2.2.1 Organizational project- Prevalent provides a central SaaS platform that enables
enabling processes / Infrastructure acquirers and suppliers to collaborate on risk reduction
management process / Objective by automating risk assessments against more than 200
industry standards – including ISO. With the platform acquirers
a) Provide the enabling infrastructure
gain built-in workflow and remediation, automated analysis
to support the organization in
and reporting.
managing information security
within supplier relationships.
6.2.2.2 Organizational project- Prevalent automates the assessment, continuous monitoring,

enabling processes / Infrastructure analysis, and remediation of third-party business resilience and
management process / Activities continuity – while automatically mapping results to ISO and
other control frameworks.
b) Define, implement, maintain and
improve contingency arrangements To complement business resilience assessments and validate
to ensure that the procurement or results, Prevalent:
the supply of a product or service can
• Automates continuous cyber monitoring that may predict
continue in the event of its disruption
caused by natural or man-made causes.
vendor instability
• Taps into financial information from a global network of 2

million businesses to identify vendor financial health or
operational concerns

46
(continued)
The Prevalent Platform includes a comprehensive business

resilience assessment based on ISO 22301 standard practices
that enables organizations to:
• Categorize suppliers according to their risk profile and

criticality to the business

objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts,

and third parties

6.2.3.2 Project portfolio management Prevalent enables you to assess and monitor third parties
process / Activities based on criticality or the extent of threats to their information
assets by capturing, tracking and quantifying inherent
a) Define, implement, maintain and
risks. Criteria used to calculate inherent risk for third-party
improve a process for identifying and
classification includes:
categorizing suppliers or acquirers
based on the sensitivity of the • Type of content required to validate controls
information shared with them and on
the access level granted to them to
acquirer’s or supplier’s assets, such as • Location(s) and related legal or regulatory considerations
information and information systems;
• Reputation

automatically tier suppliers; set appropriate levels of further
diligence; and determine the scope of ongoing assessments.

47
6.3.4.1 Project processes / Risk Prevalent continuously tracks and analyzes external threats
management process / Objective to third parties. The solution monitors the Internet and
dark web for cyber threats and vulnerabilities, as well as
a) Continuously address information
public and private sources of reputational, sanctions and
security risks in supplier relationships
financial information.
and throughout their life cycle including
re-examining them periodically or when All monitoring data is correlated with assessment results
significant business, legal, regulatory, and centralized in a unified risk register for each vendor,
architectural, policy and contractual streamlining risk review, reporting and response initiatives.
changes occur.
Monitoring sources include:


Because not all threats are direct cyberattacks, Prevalent also

incorporates data from the following sources to add context into
cyber findings:
• 550,000 public and private sources of reputational

negative news, regulatory and legal information, operational
updates, and more
• A global network of 2 million businesses with 5 years

of organizational changes and financial performance,
• A database containing over 1.8 million politically exposed

person profiles

48
6.3.7.1 Project processes / Prevalent automates risk assessments to extend the visibility,
Measurement process / Objective efficiency and scale of your third-party risk management
program across every stage of the third-party lifecycle.
a) Collect, analyze, and report
information security measures related With a library of 200+ standardized assessments,
to the procurement or supply of a customization capabilities, and built-in workflow and
product or service to demonstrate the remediation, the solution automates everything from survey
maturity of information security in a collection and analysis to risk rating and reporting.
supplier relationship and to support
effective management of processes.
Results of assessments and continuous monitoring are collated

in a single risk register with heat map reporting that measures
and categorizes risks based on likelihood and impact. With
this insight, teams can easily see the consequences of a risk
and have ready-made remediation recommendations for third
parties to mitigate the risks.
7 Information security in a supplier relationship instance
7.2.1 Supplier selection process / The Prevalent Risk Profiling Snapshot enables you to compare
Objectives and monitor demographics, fourth-party technologies, ESG
scores, recent business and reputational insights, data breach
a) Select a supplier that provides
history, and financial performance of potential vendors. With the
adequate information security for the
Snapshot, you can see results in line with RFx responses for a
product or service that may be procured.
holistic view of suppliers – their fit for purpose and fit according
to your organization’s risk appetite.
7.3.1 Supplier relationship The Prevalent Platform automates workflows required to

management process / Objective assess, manage, continuously monitor and remediate third-
party security, privacy, compliance, and procurement/supply
Establish and agree on a supplier
chain-related risks across every stage of the vendor lifecycle.
relationship agreement addressing the
The solution:
following:
• Automates vendor onboarding and offboarding
• information security roles and
responsibilities of the acquirer and • Profiles, tiers, scores inherent risk for all suppliers
the supplier;
• Automates fourth party mapping and vendor demographics
in a central profile
49
(continued) (continued)
• security controls required • Delivers the largest library of standardized and custom
across information security, ICT risk assessments with built-in workflow, tasks, and
security, personnel security and evidence management
physical security;
• Integrates native cyber, business, reputational and financial
• a transition process when risk monitoring to correlate risks against assessment
the product or service has results and validate findings
been previously operated
• Includes machine learning analytics to normalize and
or manufactured by a party
correlate findings from multiple sources
different from the supplier;
• Delivers compliance and risk reporting by framework
• information security
or regulation
change management;
• Improves remediation management with built-in guidance
• information security
incident management; • Includes Contract and RFx management to enable more
complete risk management prior to onboarding
• compliance monitoring
and enforcement; • Automates third-party incident response
7.4.1 Supplier relationship With the Prevalent Platform, acquirers can automatically
management process / Objectives map information gathered from control-based assessments
to regulatory frameworks – including ISO and many others
a) Maintain information security during
– to quickly visualize and address important compliance
the execution period of the supplier
requirements at every stage of the supplier lifecycle.
relationship in accordance with the
supplier relationship agreement and by
particularly considering the following:
4) Monitor and enforce compliance

of the supplier with information
security provisions defined in the
supplier relationship agreement.
50
7.5.1 Supplier relationship The Prevalent Platform automates contract assessments and
termination process / Objectives offboarding procedures to reduce your organization’s risk of
post-contract exposure.
a) Protect the product or service
supply during termination to avoid • Schedule tasks to review contracts to ensure all obligations
any information security, legal and have been met. Issue customizable contract assessments
regulatory impacts after the notice to evaluate status.
of termination;
• Leverage customizable surveys and workflows report on
b) Terminate the product or system access, data destruction, access management,
service supply in accordance to the compliance with all relevant laws, final payments, and more.
termination plan.
• Centrally store and manage documents and certifications,
such as NDAs, SLAs, SOWs and contracts. Leverage built-
in automated document analysis based on AWS natural
language processing and machine learning analytics to
confirm key criteria are addressed.

remediation recommendations and guidance.
• Visualize and address compliance requirements by

automatically mapping assessment results to any
regulation or framework.
51
ISO 27002, 27002 and 27036-2 Compliance
The ISO standards presented in this section require robust management and tracking of third-party supplier
security and data privacy risk. They specify the following:
• A policy for selecting suppliers based on information

security practices should be in place;
• A policy for managing risk should be in place;
• A policy should be codified in supplier agreements; and
• Suppliers should be managed and audited to the agreed

requirements.
Having strong information security management systems is

part of the supplier lifecycle and requires a complete, internal
view of the controls in place – as well as continuous monitoring
of all third parties to validate the presence and effectiveness
of certain controls. This cannot be addressed with a simple,
external automated scan or with spreadsheets.
Prevalent’s Third-Party Risk Management Platform offers a complete framework for implementing
policy management, auditing and reporting related to the third-party risk and supply chain compliance
requirements of ISO 27001, 27002, and 27036-2 – with dedicated questionnaires and risk registers for
each standard.
Contact Prevalent for a free maturity assessment to determine how your current TPRM policies stack
up to ISO standards, or request a demo of the Prevalent TPRM Platform today.
52
NCSC Supply Chain Cyber Security Guidance
Following a continual increase in high profile cyber-
attacks resulting from supply chain vulnerabilities, the
United Kingdom National Cyber Security Centre (NCSC)
– a part of GCHQ – has published updated guidance to
help organizations effectively assess and gain confidence
in the cyber security of their supply chains.
The latest guidance, issued in October 2022 and broken out into five
stages, is intended to help organizations implement the NCSC’s 12
supply chain security principles originally published in January 2018.
This checklist examines the five stages in the latest NCSC guidance
and identifies best practices steps to implement the guidance.
NOTE: All best practices considerations included in this document are generalized.
Consult with your auditor about what practices are appropriate for your organization.
Five Stages to Improve Supply Chain Cyber Security

The NCSC guidance breaks down supply chain cyber security practices into the five steps depicted below.
Source: https://www.ncsc.gov.uk/files/Assess-supply-chain-cyber-security.pdf
53
Stage 1: Before You Start
According to the NCSC guidance, the goal of stage 1 is to, “Gain knowledge about your own organisation’s
approach to cyber security risk management.” This initial planning stage entails understanding:
• The risks your organization is exposed to;
• Who in the organization should be involved in supply chain cyber security decisions; and
• How the organization should evaluate risk.
NCSC Guidance Best Practices Considerations
Understand why your According to a recent industry study, 45% of organizations have
organisation should care about experienced a third-party data or privacy breach in the past 12
supply chain cyber security months. Consider some recent examples, and the impact those
security incidents caused:
Toyota – financial and operational losses
In February 2022, Toyota shut down operations in Japan after a major

plastic supplier, Kojima Industries, suffered a data breach. Kojima had
remote access to Toyota manufacturing plants, greatly increasing
Toyota’s risk. As a result of the temporary shutdown, Toyota suffered
financial and operational losses.
SolarWinds – lawsuits, fines, loss of customer trust
Russian state actors hacked into the Orion software product which
was then pushed out to SolarWinds customers as part of a series of
regularly planned updates. This effort gave the cybercriminals access
to thousands of company’s systems and data. SolarWinds is facing
lawsuits, fines, congressional testimony and more, and will impact
their customers’ trust in them for years to come.
Answer these key questions:
• Can your organization remain resilient in the face of a supply chain

cyber disruption?
• Can you identify the target of a cyber attacker? Is it data?
• Can you identify the most likely attack path for a cyber attacker?
If the answer to any of these questions is “no,” then you must assess
the weak points in your cyber supply chain and build a plan to mitigate
those risks.
54
NCSC Supply Chain Cyber Security Guidance Checklist
Identify the key players in Participants can include representatives from procurement
your organisation and sourcing, risk management, security and IT, legal and
compliance, and data privacy teams. The reason that so many
Having the right people in place to
teams should be engaged as part of the supply chain cyber risk
support supply chain cyber security will
management process is that each department tends to focus on
help drive the changes required.
the risks that matter to them.
IT security and privacy teams must determine what controls are

in place to protect data and access to systems, if the supplier
was breached, what the impact was, and if there is undue risk
from fourth parties.
Procurement teams may want to if the supplier’s financial or

credit history raises any concerns, or if the supplier carries a
reputational problem with them.
Compliance and legal teams will want to know if the supplier

has been flagged for data privacy, environmental, social and
governance, bribery or sanctions.
Risk management teams will want to know if the supplier is in a

region prone to natural disasters or geo-political instability.
First, establish a RACI matrix to define who in the organization is:
• Responsible for managing risks
• Accountable for results
• Consulted with
• Kept informed about the process and results
Finally, gain buy-in from senior executives and the board by:
• Presenting a consolidated view of current risk exposure to

the organization from the supply chain
• Communicating current risk status and reduction efforts
• Identifying where exec support is needed
Understand how your organisation A common way to categorize risk is through a “heat map” that
evaluates risk measures risk on two axes: Likelihood of occurrence and impact
to operations. Naturally, risks that rate high on both scales (e.g.,
the upper-right quadrant) should be prioritized higher than
risks that rate lower.
55
Stage 2: Develop an Approach to Assess Supply Chain Cyber Security
Stage 2 guidance says to “Creating a repeatable, consistent approach for assessing the cyber security of
your suppliers.” This stage involves:
• Knowing which assets the organization should protect;
• Defining what the ideal security controls should be to protect the asset; and
• Determining how to assess suppliers and handle non-compliance.
Prioritise your organisation’s Prior to creating the supplier’s security profile, consider the
“crown jewels” inherent risks they expose the company to. Consider this
framework when calculating inherent risk:
Determine the critical aspects in your
organisation that you need to protect • Criticality to business performance and operations
the most.
• Location(s) and related legal or regulatory considerations

Create key components for the
approach, which include:
• security profiles to be assigned to
each supplier • Financial status and health
• questions to determine the security • Reputation

profile of each supplier
Using the insights from this inherent risk assessment, your
• cyber security requirements for team can automatically tier and profile suppliers; establish
each profile specific contractual clauses to enforce standards; set
appropriate levels of further diligence; determine the scope of
• management plans to track
ongoing assessments; and define remediations in the case of
suppliers’ compliance with security
non-compliance.
requirements
For tracking compliance with security requirements,
• clauses relating to cyber security to
consider standardizing assessments against Cyber
insert into supplier contracts
Essentials, ISO, or other commonly-adopted information
security control frameworks.
56
Stage 3: Apply the Approach to New Supplier Relationships
At Stage 3, NCSC guidance recommends embedding “new security practices throughout the contract
lifecycle of new suppliers, from procurement and supplier selection through to contract closure.” This
involves monitoring adherence to contractual provisions and maintaining the team’s awareness of their
responsibilities during the process.
Educate the team Consider requiring employees responsible for supplier

relationships to achieve individual security certifications,
Ensure that the people who will be
or support the organization’s Cyber Essentials or
involved in assessing suppliers are
ISO 27036-2 certifications.
trained in cyber security.
Embed cyber security controls This guidance requires organizations to be aware of risks at
throughout the contract’s duration every stage of the supplier lifecycle, including:
Consider cyber security throughout • Conducting pre-contract due diligence by gaining

the contract lifecycle: from decision to cybersecurity insights or data breach history on potential
outsource, supplier selection, contract suppliers prior to making selection decisions
award, supplier delivery to termination.
• Scoring and categorizing suppliers so you know how to
Think what practices can be
triage them and what ongoing due diligence is needed
introduced to make sure this happens
for every acquisition. • Validating assessment results with real-time cyber
monitoring data
• Centrally tracking all contracts and security-related

contract attributes
• Measuring supplier effectiveness, including KPIs, KRIs, and

SLAs against compliance measures to make sure those
vendors are meeting contractual requirements
• Winding down relationships in a way that ensures contract

adherence, data destruction, and that final items are
checked off
Monitor supplier security Conduct supplier cybersecurity assessments at the time of

performance onboarding, contract renewal, or at any required frequency
(e.g., quarterly or annually). Ensure that assessments are
backed by workflow, task management, and automated
evidence review capabilities.
57
Then, continuously track and analyze external threats to third

parties by monitoring the Internet and dark web for cyber
threats and vulnerabilities. Monitoring sources should include:
criminal forums; onion pages; dark web special access forums;
threat feeds; paste sites for leaked credentials; security
communities; code repositories; vulnerability databases; and
data breach databases.
Correlate all monitoring data to assessment results and

centralize in a unified risk register for each vendor, streamlining
risk review, reporting and response initiatives.
Stage 4: Integrate the Approach into Existing Supplier Contracts

In Stage 4, NCSC recommends reviewing “your existing contracts either upon renewal, or sooner where
critical suppliers are concerned.” The guidance assumes some level of contract lifecycle management.
Identify existing contracts Centralize the distribution, discussion, retention and review of vendor
contracts so that all applicable teams can participate in contract
reviews to ensure the appropriate security clauses are included. Key
practices to consider in managing supplier contracts include:
Risk assess your contracts • Centralized storage of contracts
• Tracking of all contracts and contract attributes such as type, key dates,
value, reminders and status – with customized, role-based views
Support your suppliers • Workflow capabilities (based on user or contract type) to automate
the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews

Review contractual clauses

document edits
• Role-based permissions that enable allocation of duties, access to

contracts, and read/write/modify access
58
Report progress to the board Start by determining the different between key performance
indicators (KPIs) and key risk indicators (KRIs) and how they
are related.
• Key Performance Indicators (KPIs) measure the

effectiveness of functions and processes.
• Key Risk Indicators (KRIs) indicate how much risk the

organization faces and which risk treatments to apply.
When it comes to measuring KPIs and KRIs, categorize them

like this:
• Risk measurements help to understand the risk of doing

business with a supplier, as well as associated mitigations
• Threat measurements overlap somewhat with risk and give

a more complete and validated view risk
• Compliance measurements define whether suppliers are

compliant with your internal controls requirements
• Coverage measurements answer the question, “Do I have

full coverage of my supplier footprint and are they tiered and
treated accordingly?”
Then, be sure to tie results back to contract provisions to

provide complete governance over the process.
Finally, ensure your team is fluent in understanding what type of

information the board should see. This approach should enable
your team to:
• Present a consolidated view of current risk exposure to the

organization from the supply chain
• Communicate current status of critical suppliers supporting

major company efforts
• Show inherent and residual risk from threat intelligence

sources to demonstrate progress in reducing risk over time
• Identify where executive support is needed
59
Stage 5: Continuously Improve
The final stage of the NCSC guidance says to “Periodically refine your approach as new issues emerge will
reduce the likelihood of risks being introduced into your organisation via the supply chain.”
Evaluate the approach and its Continuously review the organization’s supply chain cybersecurity program
components regularly at every stage of the supplier’s lifecycle. Key areas to review include:
• Roles and responsibilities (e.g., RACI)

• Supplier security profiles
• Risk scoring and thresholds based on the organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party
criticality
• Fourth- and Nth-party involvement in delivering critical services
• Governing policies, standards, systems and processes to protect
systems and data
service levels
• Incident response processes
• Internal stakeholder reporting
Maintain awareness of Continuously track and analyze external threats to third parties
evolving threats and update by monitoring the Internet and dark web for cyber threats and
practices accordingly vulnerabilities, as well as public and private sources of reputational,
sanctions and financial information.
Correlate all monitoring data to assessment results and centralize

in a unified risk register for each vendor, streamlining risk review,
reporting and response initiatives.
Maintain awareness of
Monitoring sources should include:
emerging threats and use
the knowledge acquired to • Criminal forums; thousands of onion pages; dark web special
update your supply chain cyber access forums; threat feeds; and paste sites for leaked credentials
security accordingly. — as well as several security communities, code repositories, and
vulnerability databases
60
• Public and private sources of reputational information, including

M&A activity, business news, negative news, regulatory and legal
information, operational updates, and more
• Financial performance, including turnover, profit and loss,
shareholder funds, etc.
• Global news sources
• Politically exposed person profiles
• Global sanctions lists
Collaborate with your suppliers Develop remediation plans with recommendations that suppliers can
follow to reduce residual risk. Provide a forum for suppliers to upload
evidence and communicate on specific remediations with a secure
audit trail for tracking remediations to a close.

NCSC Supply Chain Cyber Security Guidance Compliance
Prevalent helps organizations add governance and risk oversight to their
supplier relationships to improve resilience by:
• Building a comprehensive, agile and mature supplier risk management

program based on proven best practices
• Centralizing security profiles for a single enterprise-wide supplier

inventory
• Automating the identification and assessment of suppliers based on

their criticality to the organization
• Assessing and continuously monitoring for cybersecurity risks
• Measuring against key performance indicators (KPIs) and key risk

indicators (KRIs) for security teams and the board
• Delivering automated remediation recommendations to suppliers to

reduce residual risk
• Including templates to simplify regulatory and security framework audit

reporting to multiple internal and external stakeholders
For more on how Prevalent can help address the requirements set forth
in NCSC guidance, request a demo today.
61
NIST SP 800-53, SP 800-161 and CSF
The National Institute of Standards and Technology
(NIST) is a federal agency within the United States
Department of Commerce. NIST’s responsibilities
include establishing computer and information Several NIST special publications
technology-related standards and guidelines for have specific controls that address
third-party supplier IT security. The
federal agencies. Because NIST publishes and
most applicable are:
maintains key resources for managing cybersecurity
risks applicable to any company, nearly 50% of • SP 800-53 Rev. 5: Security and
private sector organizations have also adopted their Privacy Controls for Information
guidelines, making NIST publications the primary Systems and Organizations
standards for evaluating IT controls.
• SP 800-161 Rev. 1: Cybersecurity
This section examines the applicable supply chain Supply Chain Risk Management
cybersecurity controls and guidance in NIST publications and Practices for Federal Information
identifies capabilities available in the Prevalent Third-Party Systems and Organizations
Risk Management Platform that you can use to meet NIST
• Cybersecurity Framework v1.1:
requirements for stronger supply chain security.
Framework for Improving Critical
Infrastructure Cybersecurity
Supply Chain Risk Management Controls
in SP 800-53 Rev. 5 These guidelines complement one
another, so your organization can
NIST supply chain security and data privacy controls have standardize on one special publication
evolved with each SP 800-53 revision. For example, in SP 800- can cross-map to the others – in effect
53 Rev. 4 Supply Chain Protection was covered under a broader meeting multiple requirements using a
“System & Service Acquisition” control group. This single control single framework.
addressed the need to identify vulnerabilities throughout an
information system’s lifecycle, and to respond through strategy
and controls. It encouraged organizations to procure third-party
solutions to implement security safeguards. It also required
organizations to review and assess suppliers and their products
prior to engagement for broader supply chain visibility.
Acknowledging the increasing number of third-party supplier-related data breaches and other security
events, SP 800-53 Rev. 5 expands and refines the supply chain security and privacy guidelines by
establishing an entirely new control group, “SR-Supply Chain Risk Management.” It also requires
organizations to develop and plan for managing supply chain risks by:
• Using formal risk management plans • Requiring transparency of systems and

and policies to drive the supply chain products (e.g., lifecycle, traceability, and
management process component authenticity)
• Emphasizing security and privacy through • Increasing awareness of the need to pre-
collaboration in identifying risks and threats, assess organizations, and to ensure visibility
and through the application of security and into issues and breaches
privacy-based controls
62
How SP 800-161 Rev. 1 Complements Supply Chain Risk Management
NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With
SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor
cybersecurity supply chain risks.
SP 800-161 further identifies the following dimensions that form the framework of cybersecurity supply
chain management:
• Culture and Awareness • Reliability • Maintainability
• Security • Usability • Integrity
• Suitability • Quality • Scalability
• Safety • Efficiency • Resilience
Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework
for assessing and mitigating supplier cybersecurity risks.
Supply Chain Risk Management Requirements in the

Cybersecurity Framework v1.1
The Cybersecurity Framework is another NIST publication that
applies to third-party risk management and supply chain security.
The Framework leverages existing security frameworks, such as CIS,
COBIT, ISA, ISO/IEC and NIST, to avoid creating an undue burden
on organizations to address requirements. Specific supply chain risk
management subcategories identified in the CSF include:
• ID.SC-1: Identify, establish, assess, and manage cyber

supply chain risk management processes, and ensure that
organizational stakeholders agree.
• ID.SC-2: Identify, prioritize, and assess suppliers and third-

party partners of information systems, components, and
services using a cyber supply chain risk assessment process.
• ID.SC-3: Implement appropriate measures in supplier and third-party partner contracts to meet the
objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
• ID.SC-4: Routinely assess suppliers and third-party partners using audits, test results, or other forms of
evaluations to confirm they are meeting their contractual obligations.
• ID.SC-5: Conduct response and recovery planning and testing with suppliers and third-party providers.
The next section of this checklist cross-maps applicable supplier risk management guidance between
these three NIST publications.
63
Mapping Prevalent Capabilities to NIST Cybersecurity Supply
Chain Risk Management Control Requirements
The summary table below maps capabilities available in the Prevalent Third-Party Risk Management
Platform to select third-party vendor or supplier controls present in SP 800-53, with SP 800-161 and the
Cybersecurity Framework v1.1 control overlays (bolded) applied to the table to illustrate cross-mapping.
the complete SP 800-53, SP 800-161 and Cybersecurity Framework v1.1 requirements in detail and consult
your auditor.
Table 1. Prevalent Mappings to NIST Cybersecurity Supply Chain Risk

Management-Related Controls
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1

Cybersecurity Supply Chain Risk Management
Applicable Supply Chain-

Prevalent Third-Party Risk Management
Specific Control Cross-Mapping
Platform Capabilities
to CSF v1.1
CA-2 (1) Control Assessments | Specialized Assessments
Supplemental C-SCRM Guidance: Enterprises should use a variety of assessment techniques and
methodologies, such as continuous monitoring, insider threat assessment, and malicious user assessment.
These assessment mechanisms are context-specific and require the enterprise to understand its supply
chain and to define the required set of measures for assessing and verifying that appropriate protections
have been implemented.
CA-2 (3) Control Assessments | Leveraging Results from External Organizations
Supplemental C-SCRM Guidance: For C-SCRM, enterprises should use external security assessments
for suppliers, developers, system integrators, external system service providers, and other ICT/OT related
service providers. External assessments include certifications, third-party assessments, and – in the
federal context – prior assessments performed by other departments and agencies. Certifications from
the International Enterprise for Standardization (ISO), the National Information Assurance Partnership
(Common Criteria), and the Open Group Trusted Technology Forum (OTTF) may also be used by non-
federal and federal enterprises alike, if such certifications meet agency needs.
64

to CSF v1.1
Control Assessments | Specialized The Prevalent Third-Party Risk Management Platform

Assessments Continued includes more than 200 standardized risk assessment survey
templates – including for NIST, ISO and many others — a
ID.RA-1: Asset Vulnerabilities are
custom survey creation wizard, and a questionnaire that
identified and documented.
automatically maps responses to any compliance regulation
DE.DP-4: Event detection information is or framework. All assessments are based on industry
communicated. standards and address all information security topics as they
pertain to supply chain partner security controls.
Prevalent Vendor Threat Monitor (VTM) continuously tracks

and analyzes externally observable threats to vendors and
other third parties. The service complements and validates
vendor-reported security control data from the Prevalent
Platform by monitoring the Internet and dark web for cyber
threats and vulnerabilities. It also correlates assessment
findings with research on operational, financial, legal and
brand risks in a unified risk register that enables centralized
risk triage and response.
With the Prevalent Platform, you can efficiently communicate

with vendors and coordinate remediation efforts. Capture
and audit conversations; record estimated completion dates;
accept or reject submissions on an answer-by-answer basis;
assign tasks based on risks, documents or entities; and
match documentation and evidence to risks.
65

to CSF v1.1
CA-7 (3) Continuous Monitoring | Trend Analyses
Supplemental C-SCRM Guidance: The information gathered during continuous monitoring/trend

analyses serves as input into C-SCRM decisions, including criticality analysis, vulnerability and threat
analysis, and risk assessments. It also provides information that can be used in incident response and
potentially identify a supply chain cybersecurity compromise, including an insider threat.
ID.RA-1: Asset Vulnerabilities are Prevalent VTM reveals third-party cyber incidents for
identified and documented. 550,000 actively tracked companies by monitoring 1,500+
criminal forums; thousands of onion pages, 80+ dark web
DE.AE-2: Detected events are analyzed to
special access forums; 65+ threat feeds; and 50+ paste
understand attack targets and methods.
sites for leaked credentials — as well as several security
DE.AE-3: Event data are collected and communities, code repositories, and vulnerability databases.
correlated from multiple sources and
Prevalent then normalizes, correlates and analyzes
sensors.
information from across multiple inputs, including inside-
DE.CM-1: The network is monitored to out risk assessments and outside-in monitoring from
detect potential cybersecurity events. Prevalent Vendor Threat Monitor and BitSight. This unified
model provides context, quantification, management and
RS.AN-1: Notifications from detection remediation support.
systems are investigated.
RS.MI-3: Newly identified vulnerabilities are

mitigated or documented as accepted risks.
66

to CSF v1.1
CP-2 (3) Contingency Plan | Coordinate with External Service Providers

Supplemental C-SCRM Guidance: Enterprises should ensure that the supply chain network, information systems,
and components provided by an external service provider have appropriate failover (to include personnel, equipment,
and network resources) to reduce or prevent service interruption or ensure timely recovery. Enterprises should ensure
that contingency planning requirements are defined as part of the service-level agreement. The agreement may
have specific terms that address critical components and functionality support in case of denial-of-service attacks to
ensure the continuity of operations. Enterprises should coordinate with external service providers to identify service
providers’ existing contingency plan practices and build on them as required by the enterprise’s mission and business
needs. Such coordination will aid in cost reduction and efficient implementation. Enterprises should require their
prime contractors who provide a mission- and business-critical or -enabling service or product to implement this
control and flow down this requirement to relevant sub-tier contractors.
ID.BE-1: The organization’s role in the supply The Prevalent Third-Party Incident Response Service
chain is identified and communicated. enables you to rapidly identify and mitigate the impact of
supply chain breaches by centrally managing vendors,
ID.SC-5: Response and recovery planning
proactively conducting event assessments, scoring identified
and testing are conducted with suppliers
risks, and accessing remediation guidance.
and third-party providers.
The Prevalent Platform includes unified capabilities for
PR.IP-9: Response plans (Incident Response
assessing, analyzing and addressing weaknesses in supplier
and Business Continuity) and recovery plans
business resilience plans. This enables you to proactively
(Incident Recovery and Disaster Recovery)
work with your supplier community to prepare for pandemics,
are in place and managed.
environmental disasters, and other potential crises.
DE.AE-4: Impact of events is determined.
In addition to facilitating automated, periodic internal control-
RS.RP-1: Response plan is executed based assessments, the Prevalent Platform provides cyber
during or after an incident. security, business, reputational and financial monitoring
– continually assessing third parties to identify potential
RS.CO-3: Information is shared consistent weaknesses that can be exploited by cyber criminals.
with response plans.
All risk intelligence is centralized, correlated and analyzed in
RS.CO-4: Coordination with stakeholders a single risk register that automates reporting and response,
occurs consistent with response plans. and features a flexible weighted scoring model based on
likelihood of an event and its impact.
RS.AN-2: The impact of the incident is understood.
RS.AN-4: Incidents are categorized

consistent with response plans.
RC.CO-3: Recovery activities are

communicated to internal and external
stakeholders as well as executive and
management teams.
67

to CSF v1.1
IR-4 (3) Incident Handling | Supply Chain Coordination
Supplemental C-SCRM Guidance: A number of enterprises may be involved in managing incidents and
responses for supply chain security. After initially processing the incident and deciding on a course of action
(in some cases, the action may be “no action”), the enterprise may need to coordinate with their suppliers,
developers, system integrators, external system service providers, other ICT/OT-related service providers,
and any relevant interagency bodies to facilitate communications, incident response, root cause, and
corrective actions. Enterprises should securely share information through a coordinated set of personnel in
key roles to allow for a more comprehensive incident handling approach. Selecting suppliers, developers,
system integrators, external system service providers, and other ICT/OT-related service providers with
mature capabilities for supporting supply chain cybersecurity incident handling is important for reducing
exposure to cybersecurity risks throughout the supply chain. If transparency for incident handling is limited
due to the nature of the relationship, define a set of acceptable criteria in the agreement (e.g., contract).
A review (and potential revision) of the agreement is recommended, based on the lessons learned from
previous incidents. Enterprises should require their prime contractors to implement this control and flow
down this requirement to relevant sub-tier contractors.
ID.SC-5: Response and recovery planning The Prevalent Third-Party Incident Response Service
and testing are conducted with suppliers enables you to rapidly identify and mitigate the impact supply
and third-party providers. chain breaches by centrally managing vendors, proactively
conducting event assessments, scoring identified risks, and
accessing remediation guidance.
The Prevalent Platform includes unified capabilities for
DE.AE-3: Event data are collected
assessing, analyzing and addressing weaknesses in supplier
and correlated from multiple sources
business resilience plans. This enables you to proactively
and sensors.
work with your supplier community to prepare for pandemics,
DE.AE-4: Impact of events is determined. environmental disasters, and other potential crises.
DE.AE-5: Incident alert thresholds are In addition to facilitating automated, periodic internal
established. control-based assessments, the Prevalent Platform
provides cyber security, business, reputational and financial
RS.RP-1: Response plan is executed monitoring – continually assessing third parties to identify
during or after an incident. potential weaknesses that can be exploited by cyber
criminals.
RS.CO-3: Information is shared consistent
with response plans. All risk intelligence is centralized, correlated and analyzed in
a single risk register that automates reporting and response,
and features a flexible weighted scoring model based on
likelihood of an event and its impact.
68

Specific Control Cross-
Mapping to CSF v1.1
Incident Handling | Supply Chain (See previous page.)

Coordination Continued
RS.CO-4: Coordination with

stakeholders occurs consistent with
response plans.
RS.AN-1: Notifications from detection

RS.AN-2: The impact of the incident

is understood.
RS.AN-4: Incidents are categorized

consistent with response plans.
RS.MI-2: Incidents are mitigated.
RC.CO-3: Recovery activities are

communicated to internal and external
stakeholders as well as executive and
management teams.
IR-5 Incident Monitoring Prevalent Contract Essentials is a SaaS solution that centralizes
the distribution, discussion, retention, and review of vendor
Supplemental C-SCRM Guidance:
contracts. It also includes workflow capabilities to automate the
Enterprises should ensure that
contract lifecycle from onboarding to offboarding. With Contract
agreements with suppliers include
Essentials, your procurement and legal teams have a single
requirements to track and document
solution to ensure that key contract clauses are in place, and that
incidents, response decisions,
service levels and response times are managed.
and activities.
IR-6 (1) Incident Reporting | Supply Chain Coordination
Supplemental C-SCRM Guidance: Communications of security incident information from the enterprise
to suppliers, developers, system integrators, external system service providers, and other ICT/OT-related
service providers and vice versa require protection. The enterprise should ensure that information is
reviewed and approved for sending based on its agreements with suppliers and any relevant interagency
bodies. Any escalation of or exception from this reporting should be clearly defined in the agreement. The
enterprise should ensure that incident reporting data is adequately protected for transmission and received
by approved individuals only. Enterprises should require their prime contractors to implement this control
and flow down this requirement to relevant sub-tier contractors.
69

to CSF v1.1
Incident Reporting | Supply Chain All risk intelligence in the Prevalent Platform is centralized,
Coordination Continued correlated and analyzed in a single risk register that
automates reporting and response, and features a flexible
ID.SC-5: Response and recovery planning
weighted scoring model based on likelihood of an event and
and testing are conducted with suppliers
its impact.
and third-party providers.
RS.CO-2: Incidents are reported

consistent with established criteria.
IR-8 Incident Response Plan The Prevalent Third-Party Incident Response Service
enables you to rapidly identify and mitigate the impact supply
chain breaches by centrally managing vendors, conducting
Enterprises should coordinate, develop,
event assessments, scoring identified risks, and accessing
and implement an incident response
remediation guidance. The Incident Response Service
plan that includes information-sharing
responsibilities with critical suppliers and, provides the foundation to be well prepared for board and
in a federal context, interagency partners executive questions regarding the impact of supply chain
and the FASC. Enterprises should require incidents; and demonstrate proof of your third-party breach
their prime contractors to implement this response plan with auditors and regulators.
control and flow down this requirement to
relevant sub-tier contractors.
PM-16 Threat Awareness Program
Supplemental C-SCRM Guidance: When addressing supply chain threat awareness, knowledge should be
shared between stakeholders within the boundaries of the organization’s information sharing policy.
ID.RA-2: Cyber threat intelligence is Prevalent VTM reveals third-party cyber incidents for 550,000
received from information sharing forums actively tracked companies by monitoring 1,500+ criminal
and sources. forums; thousands of onion pages, 80+ dark web special
access forums; 65+ threat feeds; and 50+ paste sites for leaked
ID.RA-3: Threats, both internal and credentials — as well as several security communities, code
external, are identified and documented. repositories, and vulnerability databases.
ID.RA-5: Threats, vulnerabilities, Prevalent then normalizes, correlates and analyzes information
likelihoods, and impacts are used to from across multiple inputs, including inside-out risk
determine risk assessments and outside-in monitoring from Prevalent Vendor
Threat Monitor and BitSight. This unified model provides
context, quantification, management and remediation support.
All risk intelligence in the Prevalent Platform is centralized,

correlated and analyzed in a single risk register that automates
reporting and response, and features a flexible weighted scoring
model based on likelihood of an event and its impact.
70

to CSF v1.1
PM-31 Continuous Monitoring Strategy Prevalent VTM reveals third-party cyber incidents for
550,000 actively tracked companies by monitoring 1,500+
criminal forums; thousands of onion pages, 80+ dark web
The continuous monitoring strategy
special access forums; 65+ threat feeds; and 50+ paste
and program should integrate C-SCRM
sites for leaked credentials — as well as several security
controls at Levels 1, 2, and 3 in
communities, code repositories, and vulnerability databases.
accordance with the Supply Chain Risk
Management Strategy. Prevalent then normalizes, correlates and analyzes
information from across multiple inputs, including inside-
out risk assessments and outside-in monitoring from
Prevalent Vendor Threat Monitor and BitSight. This unified
model provides context, quantification, management and
remediation support.

correlated and analyzed in a single risk register that
its impact.
71

to CSF v1.1
RA-1 Policy and Procedures The Prevalent Platform includes more than 200 standardized
risk assessment survey templates – including for NIST, ISO
and many others — a custom survey creation wizard, and
Risk assessments should be performed
a questionnaire that maps responses to any compliance
at the enterprise, mission/program, and
regulation or framework. All assessments are based on
operational levels. The system-level
industry standards and address all information security
risk assessment should include both
topics as they pertain to supply chain partner security
the supply chain infrastructure (e.g.,
controls.
development and testing environments
and delivery systems) and the information With the Prevalent Platform, you can automatically generate
system/components traversing the supply a risk register upon survey completion, ensuring that the
chain. System-level risk assessments entire risk profile (or a role-specific version) can be viewed
significantly intersect with the SDLC in the centralized, real-time reporting dashboard – and
and should complement the enterprise’s reports can be downloaded and exported to determine
broader RMF activities, which take part compliance status. This filters out unnecessary noise and
during the SDLC. A criticality analysis zeros in on areas of possible concern, providing visibility
will ensure that mission-critical functions and trending to measure program effectiveness. Then, you
and components are given higher priority can take actionable steps to reduce vendor risk with built-in
due to their impact on the mission, if remediation recommendations
compromised. The policy should include and guidance.
supply chain relevant cybersecurity roles
that are applicable to performing and
coordinating risk assessments across the
enterprise (see Section 2 for the listing
and description of roles). Applicable roles
within suppliers, developers, system
integrators, external system service
providers, and other ICT/OT-related
service providers should be defined.
72

to CSF v1.1
RA-3 Risk Assessment
Supplemental C-SCRM Guidance: Risk assessments should include an analysis of criticality, threats,
vulnerabilities, likelihood, and impact, as described in detail in Appendix C. The data to be reviewed and
collected includes C-SCRM-specific roles, processes, and the results of system/component and services
acquisitions, implementation, and integration. Risk assessments should be performed at Levels 1, 2, and
3. Risk assessments at higher levels should consist primarily of a synthesis of various risk assessments
performed at lower levels and used for understanding the overall impact with the level (e.g., at the
enterprise or mission/function levels). C-SCRM risk assessments should complement and inform risk
assessments, which are performed as ongoing activities throughout the SDLC, and processes should be
appropriately aligned with or integrated into ERM processes and governance.
ID.RA-1: Asset Vulnerabilities are The Prevalent Platform includes more than 200 standardized
identified and documented. risk assessment survey templates – including for NIST, ISO
ID.RA-3: Threats, both internal and
external, are identified and documented.
ID.RA-4: Potential business impacts and industry standards and address all information security
likelihoods are identified. topics as they pertain to supply chain partner security
controls. Prevalent offers security, privacy, and risk
ID.RA-5: Threats, vulnerabilities, management professionals an automated platform to manage
likelihoods, and impacts are used to the vendor risk assessment process and determine vendor
determine risk. compliance with IT security, regulatory, and data privacy
requirements.
ID.SC-2: Suppliers and third party
partners of information systems, In addition to facilitating automated, periodic internal
components, and services are identified, control-based assessments, the Prevalent Platform also
prioritized, and assessed using a cyber provides cyber security, business, reputational and financial
supply chain risk assessment process monitoring – continually assessing third parties to identify
potential weaknesses that can be exploited by cyber
CSF DE.AE-4: Impact of events
criminals.
is determined.
RS.MI-3: Newly identified vulnerabilities
are mitigated or documented as
accepted risks.
its impact.
73

to CSF v1.1
RA-7 Risk Response The Prevalent Platform features built-in guidance to

remediate control failures or other identified risks to levels
acceptable to your organization. Prevalent also enables
Enterprises should integrate capabilities
risk assessors to communicate with third parties about
to respond to cybersecurity risks
remediations, document conversations and updates, and
throughout the supply chain into the
store supporting control documentation in a centralized
enterprise’s overall response posture,
repository.
ensuring that these responses are aligned
to and fall within the boundaries of the
enterprise’s tolerance for risk. Risk
response should include consideration
of risk response identification, evaluation
of alternatives, and risk response
decision activities.
74

to CSF v1.1
RA-9 Criticality Analysis Prevalent offers an inherent risk assessment questionnaire

with clear scoring based on eight criteria to capture, track
and quantify risks for all third parties. The assessment
Enterprises should complete a criticality
criteria include:
analysis as a prerequisite input to
assessments of cybersecurity supply • Type of content required to validate controls
chain risk management activities. First,
enterprises should complete a criticality
analysis as part of the Frame step of the • Location(s) and related legal or regulatory considerations
C-SCRM Risk Management Process.
Then, findings generated in the Assess • Level of reliance on fourth parties (to avoid
step activities (e.g., criticality analysis, concentration risk)
threat analysis, vulnerability analysis,
and mitigation strategies) update and
tailor the criticality analysis. A symbiotic • Interaction with protected data
relationship exists between the criticality
analysis and other Assess step activities • Financial status and health
in that they inform and enhance one
• Reputation
another. For a high quality criticality
analysis, enterprises should employ it Using the inherent risk assessment, you can automatically
iteratively throughout the SLDC and tier suppliers, set appropriate levels of further diligence, and
concurrently across the three levels. determine the scope of subsequent, periodic assessments.
Enterprises should require their prime
contractors to implement this control and Rule-based tiering logic enables suppliers to be categorized
flow down this requirement to relevant based on a range of data interaction, financial, regulatory and
sub-tier contractors. Departments and reputational considerations.
agencies should also refer to Appendix
F to supplement this guidance in
accordance with Executive Order 14028,
Improving the Nation’s Cybersecurity.
75

to CSF v1.1
SA-4 (3) Acquisition Process | Continuous Monitoring Plan for Controls
Supplemental C-SCRM Guidance: This control enhancement is relevant to C-SCRM and plans for
continuous monitoring of control effectiveness and should therefore be extended to suppliers, developers,
system integrators, external system service providers, and other ICT/OT-related service providers.
PR.IP-2: A System Development Life In addition to facilitating automated, periodic internal control-
Cycle to manage systems is implemented. based assessments, the Prevalent Platform also provides
cyber security, business, reputational and financial monitoring
DE.CM-6: External service provider
– continually assessing third parties to identify potential
activity is monitored to detect potential
weaknesses that can be exploited by cyber criminals.
cybersecurity events.
its impact.
76

to CSF v1.1
SI-4 (1) System Monitoring | Integrated Situational Awareness
Supplemental C-SCRM Guidance: System monitoring information may be correlated with that of
suppliers, developers, system integrators, external system service providers, and other ICT/OT-related
service providers, if appropriate. The results of correlating monitoring information may point to supply
chain cybersecurity vulnerabilities that require mitigation or compromises.
DE.AE-1: A baseline of network operations Prevalent VTM continuously tracks and analyzes externally
and expected data flows for users and observable threats to vendors and other third parties. The
systems is established and managed. service complements and validates vendor-reported security
control data from the Prevalent Platform by monitoring the
Internet and dark web for cyber threats and vulnerabilities
— and correlating assessment findings with research on
DE.AE-3: Event data are collected and operational, financial, legal and brand risks in a unified risk
correlated from multiple sources and register that enables centralized risk triage and response.
sensors.
DE.AE-4: Impact of events is determined. correlated and analyzed in a single risk register that
DE.CM-1: The network is monitored to weighted scoring model based on likelihood of an event and
detect potential cybersecurity events. its impact.
DE.CM-6: External service provider

activity is monitored to detect potential
cybersecurity events.
DE.DP-4: Event detection information is

communicated.
RS.CO-3: Information is shared consistent

with response plans.
RS.AN-1: Notifications from detection

77

to CSF v1.1
SI-5 Security Alerts, Advisories and Directives
Supplemental C-SCRM Guidance: The enterprise should evaluate security alerts, advisories, and
directives for cybersecurity supply chain impacts and follow up if needed. US-CERT, FASC, and other
authoritative entities generate security alerts and advisories that are applicable to C-SCRM. Additional
laws and regulations will impact who and how additional advisories are provided. Enterprises should
ensure that their information-sharing protocols and processes include sharing alerts, advisories, and
directives with relevant parties with whom they have an agreement to deliver products or perform services.
Enterprises should provide direction or guidance as to what actions are to be taken in response to sharing
such an alert, advisory, or directive. Enterprises should require their prime contractors to implement this
control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should
refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the
Nation’s Cybersecurity.
ID.RA-1: Asset Vulnerabilities are Prevalent VTM continuously tracks and analyzes externally
identified and documented. observable threats to vendors and other third parties. The
service complements and validates vendor-reported security
ID.RA-2: Cyber threat intelligence is
control data from the Prevalent Platform by monitoring the
received from information sharing forums
Internet and dark web for cyber threats and vulnerabilities
and sources.
— and correlating assessment findings with research on
ID.RA-3: Threats, both internal and operational, financial, legal and brand risks in a unified risk
external, are identified and documented. register that enables centralized risk triage and response.
RS.CO-5: Voluntary information sharing All risk intelligence in the Prevalent Platform is centralized,
occurs with external stakeholders correlated and analyzed in a single risk register that
to achieve broader cybersecurity automates reporting and response, and features a flexible
situational awareness. weighted scoring model based on likelihood of an event and
its impact.
RS.AN-5: Processes are established
to receive, analyze and respond
to vulnerabilities disclosed to the
organization from internal and external
sources (e.g. internal testing, security
bulletins, or security researchers).
78

to CSF v1.1
SR-1 Policy and Procedures Prevalent Program Design Services define and document
your third-party risk management program. You get a clear
plan that accounts for your specific needs while incorporating
C-SCRM policies are developed at Level
best practices for end-to-end TPRM.
1 for the overall enterprise and at Level
2 for specific missions and functions.
C-SCRM policies can be implemented at
Levels 1, 2, and 3, depending on the level
of depth and detail. C-SCRM procedures
are developed at Level 2 for specific
missions and functions and at Level 3 for
specific systems. Enterprise functions
including but not limited to information
security, legal, risk management, and
acquisition should review and concur on
the development of C-SCRM policies and
procedures or provide guidance to system
owners for developing system-specific
C-SCRM procedures.
79

to CSF v1.1
SR-2 Supply Chain Risk Prevalent Program Design Services help you to continually
Management Plan improve your Prevalent Platform deployment, ensuring
that your TPRM program maintains the flexibility
and agility it needs to meet evolving business and
C-SCRM plans describe implementations,
regulatory requirements.
requirements, constraints, and
implications at the system level. C-SCRM
plans are influenced by the enterprise’s
other risk assessment activities and
may inherit and tailor common control
baselines defined at Level 1 and Level 2.
C-SCRM plans defined at Level 3 work
in collaboration with the enterprise’s
C-SCRM Strategy and Policies (Level
1 and Level 2) and the C-SCRM
Implementation Plan (Level 1 and Level
2) to provide a systematic and holistic
approach for cybersecurity supply chain
risk management across the enterprise.
C-SCRM plans should be developed as a
standalone document and only integrated
into existing system security plans if
enterprise constraints require it.
80

to CSF v1.1
SR-6 Supplier Assessments and Reviews The Prevalent Platform includes more than 200 standardized
risk assessment survey templates – including for NIST, ISO
Supplemental C-SCRM Guidance: In
general, an enterprise should consider
any information pertinent to the
security, integrity, resilience, quality,
industry standards and address all information security
trustworthiness, or authenticity of the
topics as they pertain to supply chain partner security and
supplier or their provided services or
business resilience controls.
products. Enterprises should consider
applying this information against a Prevalent VTM continuously tracks and analyzes externally
consistent set of core baseline factors and observable threats to vendors and other third parties. The
assessment criteria to facilitate equitable service complements and validates vendor-reported security
comparison (between suppliers and over control data from the Prevalent Platform by monitoring the
time). Depending on the specific context Internet and dark web for cyber threats and vulnerabilities
and purpose for which the assessment — and correlating assessment findings with research on
is being conducting, the enterprise may operational, financial, legal and brand risks in a unified risk
select additional factors. The quality register that enables centralized risk triage and response.
of information (e.g., its relevance,
completeness, accuracy, etc.) relied upon
for an assessment is also an important
consideration. Reference sources for
assessment information should also be
documented. The C-SCRM PMO can help
define requirements, methods, and tools
for the enterprise’s supplier assessments.
Departments and agencies should refer
to Appendix E for further guidance
concerning baseline risk factors and
the documentation of assessments and
Appendix F to implement this guidance in
accordance with Executive Order 14028,
Improving the Nation’s Cybersecurity.
81

to CSF v1.1
SR-8 Notification Agreements With the Prevalent Platform, you can collaborate on
documents, agreements and certifications, such as NDAs,
Supplemental C-SCRM Guidance: At
SLAs, SOWs and contracts, with built-in version control,
minimum, enterprises should require
task assignment and auto-review cadences. Manage all
their suppliers to establish notification
documents throughout the vendor lifecycle in centralized
agreements with entities within
vendor profiles.
their supply chain that have a role or
responsibility related to that critical
service or product. Departments and
agencies should refer to Appendix F to
implement this guidance in accordance
with Executive Order 14028, Improving
the Nation’s Cybersecurity.
SR-13 Supplier Inventory Prevalent offers an inherent risk assessment questionnaire

with clear scoring based on eight criteria to capture, track
and quantify risks for all third parties. Assessment criteria
Enterprises rely on numerous suppliers
include:
to execute their missions and functions.
Many suppliers provide products and • Type of content required to validate controls
services in support of multiple missions,
functions, programs, projects, and
systems. Some suppliers are more critical • Location(s) and related legal or regulatory considerations
than others, based on the criticality of
missions, functions, programs, projects, • Level of reliance on fourth parties (to avoid concentration
systems that their products and services risk)
support, and the enterprise’s level of
dependency on the supplier. Enterprises
should use criticality analysis to help • Interaction with protected data
determine which products and services
are critical to determine the criticality • Financial status and health
of suppliers to be documented in the
• Reputation
supplier inventory. See Section 2,
Appendix C, and RA-9 for guidance on Using the inherent risk assessment, you can automatically
conducting criticality analysis. tier suppliers, set appropriate levels of further diligence, and
determine the scope of subsequent, periodic assessments.
Rule-based tiering logic enables suppliers to be categorized

based on a range of data interaction, financial, regulatory and
82
NIST: Summary Guidelines and Recommendations
To address the supply chain risk management control requirements established in SP 800-53, use the
Cybersecurity Framework v1.1 supplemental guidance and consider implementing the following practices.
Table 2. Recommendations to Address CSF v1.1 Guidelines
NIST CSF v1.1

Recommendations
Summary Guidelines
Identify, establish, assess, and Define and document your third-party risk management
manage cyber supply chain program with expert professional services. Obtain a clear plan
risk management processes, that accounts for your specific needs while incorporating best
and ensuring organizational practices for end-to-end TPRM.
stakeholders agree.
Identify, prioritize, and assess Onboard, profile, tier and score inherent risks across all third
suppliers and third party partners of parties as a critical first step in the onboarding and prioritization
information systems, components, stages of the vendor lifecycle.
and services using a cyber supply
chain risk assessment process.
Implement appropriate measures Use dedicated and custom contract assessment questionnaires
in supplier and third-party partner to enable comprehensive reviews by identifying potential
contracts to meet the objectives breaches of contract and other risks. Customizable surveys
of an organization’s cybersecurity make it easy to gather and analyze necessary performance and
program and Cyber Supply Chain contract data in a single risk register.
Risk Management Plan.
Routinely assess suppliers and third- Use a comprehensive solution to address all information security
party partners using audits, test topics as they pertain to supply chain partner
results, or other forms of evaluations security controls.
to confirm they are meeting their
contractual obligations.
Conduct response and recovery Identify and mitigate the impact supply chain breaches by
planning and testing with suppliers centrally managing vendors, conducting proactive event
and third-party providers. assessments, scoring identified risks, and accessing
remediation guidance.
83
NIST SP 800-53, SP 800-161, CSF Compliance
NIST requires robust management and tracking of third-party supply chain security risks. SP 800-53,
SP 800-161, and CSF v1.1 specify that a policy for managing risk should be in place; security controls should
be selected; a policy should be codified in supplier agreements where appropriate; and suppliers should
be managed and audited to the requirements and controls. In short, organizations need to establish and
implement the processes to identify, assess and manage supply chain risk.
Prevalent can help by:
• Formalizing your third-party risk management program with industry

best-practice guidance, adding consistency and repeatability to how
you identify, manage, remediate and monitor supply chain risks across
the vendor lifecycle
• Reducing the cost and complexity of third-party risk management

with a managed services team that can handle vendor onboarding,
assessment and management
• Comprehensively assessing vendors against NIST requirements and

many other regulations, guidelines and frameworks – as well through
an extensive survey template library
• Continuously monitoring your third parties for cybersecurity, business,

reputational or financial risks that can impact their ability to deliver
products and services
• Delivering the reporting required to demonstrate compliance inside

and outside the organization
• Accelerating incident response by rapidly identifying and mitigating

the impact of supply chain breaches through event collection, scoring
identified risks, and accessing remediation guidance
Contact Prevalent for a free maturity assessment to determine how your current TPRM policies stack
up to NIST requirements or request a solution demo today.
84
The Payment Card Industry Data Security Standard
(PCI DSS)
Originally developed in 2004 and revised consistently since, the Payment Card Industry
Data Security Standard (PCI DSS) aims to enhance cardholder data security and to
facilitate the broad adoption of consistent data security measures worldwide. The
standard applies to all entities that store, process or transmit cardholder data. With 12
requirements across six areas, the standard is designed to ensure that organizations have
the proper controls and procedures in place to secure cardholder data.
Specific to third-party risk management, PCI DSS requirements are applicable to organizations that
have outsourced:
• their payment operations, or;
• the management of systems (such as routers, firewalls, databases, physical security, and/or servers)
that are involved in transmitting, housing or protecting cardholder data.
Third parties are therefore responsible for ensuring that the

data is protected per the applicable PCI DSS requirements.
It’s crucial for third parties to show compliance with

PCI DSS requirements, and that’s where a vendor risk
assessment is essential – offering a survey with specific
PCI requirement questions and the ability to include
applicable agreements and contracts as evidence along
with the answers. If a third party performs a PCI DSS
assessment, they should:
“…provide sufficient evidence to their customers to

verify that the scope of the service provider’s PCI DSS
assessment covered the services applicable to the
customer and that the relevant PCI DSS requirements were
examined and determined to be in place.”
All service providers with access to cardholder data – including shared hosting providers – must adhere to
PCI DSS; shared hosting providers must protect each entity’s hosted environment and data. This section
focuses specifically on those hosting provider requirements.
Meeting PCI DSS Requirements

Please see the table below for a summary of the third party-related PCI DSS guidance, and how Prevalent
can help your organization address these requirements. For the purposes of this paper (and considering
the breadth of the PCI standard) only requirements 12.8 and 12.9 are reviewed. With regard to Appendix A1
(Additional PCI DSS Requirements for Shared Hosting Providers), the requirement and associated testing
procedures can be accomplished through assessments available in the Prevalent platform.
85
PCI DSS Checklist
Payment Card Industry Data Security Standard (PCI DSS)

Third-Party Shared Hosting Provider Requirements
Requirement How Prevalent Helps
Requirement 12.8 Maintain and implement Prevalent offers an internal automated qualification assessment
policies and procedures to manage service that enables you to gather required details about all entities your
providers with whom cardholder data is organization is working with from all departments to satisfy the
shared, or that could affect the security of requirements of 12.8.1. Prevalent utilizes standardized rule-based
cardholder data profiling and tiering logic to help risk and security teams understand
the scope of their vendors. Through a combination of information
12.8.1 Maintain a list of service providers collection and specific tiering questions, Prevalent leverages data
including a description of the service provided interaction, financial, regulatory and reputational considerations
to inform tiering. This process ensures that third parties are
assessed properly according their importance to the organization
and provides a central repository for vendor management.
12.8.2 Maintain a written agreement that Prevalent enables organizations to centralize agreements,
includes an acknowledgment that the service contracts and supporting evidence with built-in task and
providers are responsible for the security of acceptance management, plus mandatory upload features to
cardholder data the service providers possess accommodate 12.8.2. A dedicated contract assessment in the
or otherwise store, process or transmit platform raises risks related to the achievement of contract
on behalf of the customer, or to the extent clauses. Visualizing breaches of certain contract requirements
that they could impact the security of the or clauses ensures that organizations have the insights they
customer’s cardholder data environment. need when renewing contracts.
12.8.3 Ensure there is an established process Prevalent delivers a standardized PCI assessment incorporating
for engaging service providers including all 12 requirements, with built-in workflow to ensure the
proper due diligence prior to engagement. entire process – from survey collection and analysis to risk
identification and reporting – is automated and efficient.
12.8.4 Maintain a program to monitor service Building on the requirement in 12.8.3, Prevalent offers a
providers’ PCI DSS compliance status at least customizable survey to gather and analyze performance data,
annually. delivering a single repository of all third-party vendor evidence.
12.8.5 Maintain information about which PCI Prevalent enables organizations to centralize agreements,
DSS requirements are managed by each contracts and supporting evidence.
service provider, and which are managed by
the entity.
12.9 Additional requirement for service Prevalent enables organizations to centralize agreements,
providers only: contracts and supporting evidence with built-in task and
acceptance management, plus mandatory upload features.
Service providers acknowledge in writing to A dedicated contract assessment in the platform raises risks
customers that they are responsible for the related to the achievement of contract clauses. Visualizing
security of cardholder data the service provider breaches of certain contract requirements or clauses
possesses or otherwise stores, processes, or ensures that organizations have the insights they need
transmits on behalf of the customer, or to the when renewing contracts.
extent that they could impact the security of the
customer’s cardholder data environment.
86
The Payment Card Industry Data Security Standard
Prevalent can help address the third-party requirements published in the PCI standard by:
• Assessing third-parties using a comprehensive standardized PCI assessment built-in to the Prevalent
platform.
• Automatically generating a risk register once a survey has been completed, filtering out any unnecessary
noise and zeroing-in on areas of possible concern.
• Matching documentation or evidence against risks and vendors, creating an audit trail for review.
• Reporting against PCI compliance, including projecting future risks and compliance once recommended
remediations are applied.
• Identifying relationships between your organization and third parties to discover dependencies and
visualize information paths.
With advisory, consulting and managed services, organizations that need to assess their third parties for PCI
compliance can be assured of best practices with Prevalent.
To discuss how Prevalent can help you address PCI DSS requirements, request a demo today.
87
SEC Cybersecurity Risk Management, Strategy,
Governance and Incident Disclosure for Third Parties
In March 2022 the U.S. Securities and Exchange
Commission (SEC) proposed new rules and
amendments to enhance and standardize
disclosures regarding cybersecurity risk
management, strategy, governance and incident
reporting by public companies. Public comment on
the proposed rules ended on May 9, 2022. The SEC
has not yet announced a date for when the changes
will be finalized and enforced. However, there are
several things you can do now to begin preparing
your company now.
This section reviews the important third-party considerations in the SEC cybersecurity risk
management amendments and identifies critical third-party risk management (TPRM) capabilities
to address the requirements.
Summary of Proposed Updates to the SEC Cybersecurity

Disclosure Rules
The proposed SEC rules and amendments were introduced in response to a lack of consistency in public
company cybersecurity incident reporting, which can erode investor confidence. The SEC publication
notes that cybersecurity risks have recently been escalating for a variety of reasons, including companies’
increasing reliance on third-party service providers for IT services and a growing number of cybersecurity
incidents involving third-party service providers.
The proposed amendments will require public companies to:
• Disclose information about a material cybersecurity incident within four (4) business days after the
company determines that it has experienced a material cybersecurity incident
• Provide updated disclosures relating to previously disclosed immaterial cybersecurity incidents when
they become material overall
• Add “cybersecurity incidents” as a topic in regular reporting
• Enhance and standardize cybersecurity risk management, strategy and governance reporting by:
– Describing policies and procedures for the identification and management of risks from cybersecurity
threats, and oversight of third-party service providers
– Requiring disclosure about the board’s oversight of cybersecurity risk and management’s role and
expertise in assessing and managing cybersecurity risk and implementing policies, procedures
and strategies
• Disclose in annual reports and proxy filings if any member of the company’s board of directors has
expertise in cybersecurity
88
Checklist for Meeting SEC TPRM Requirements
Because 45% of organizations experienced a third-party security incident in the last year, it is essential that
public companies consider the proposed SEC reporting amendments in the context of those relationships.
This section identifies proposed requirements in the SEC cybersecurity risk management amendments and
maps capabilities in the Prevalent Third-Party Risk Management Platform to those requirements to help
security teams mitigate third-party risks and meet reporting obligations.
NOTE: This is a summary of the most relevant amendments only, and it should not be considered comprehensive,
definitive guidance. For a complete list of rules, please review the complete document in detail and consult your auditor.
Table 1. Prevalent Capability Mappings to Proposed SEC Cybersecurity Risk

Management, Strategy, Governance and Incident Disclosure Amendments
Amendments How Prevalent Helps
Reporting of Cybersecurity Incidents on Form 8-K

Item 1.05
“Disclose the following Prevalent enables your team to rapidly identify, respond to, report on, and
information about a mitigate the impact of third-party vendor security incidents as part of your
material cybersecurity broader incident management strategy.
incident, to the extent the
In addition to our SaaS platform solutions, Prevalent offers a managed
information is known at the
service where our experts centrally manage your vendors; conduct proactive
time of the Form 8-K filing:
event risk assessments; score identified risks; correlate against continuous
• When the incident was cyber monitoring; and issue remediation guidance – all on your behalf.
discovered and whether it
Key capabilities include:
is ongoing;
• A brief description of the management questionnaires
nature and scope of the
• Real-time questionnaire completion progress tracking
incident;
• Defined risk owners with automated chasing reminders to keep surveys
• Whether any data was on schedule
stolen, altered, accessed,
• Proactive vendor reporting
or used for any other
unauthorized purpose; • Consolidated views of risk ratings, counts, scores and flagged responses
for each vendor
• The effect of the incident
• Workflow rules to trigger automated playbooks to act on risks according to
on the registrant’s
their potential impact on the business
operations; and
• Built-in reporting templates for internal and external stakeholders
• Whether the registrant
• Guidance from built-in remediation recommendations to reduce risk
has remediated or is
currently remediating
the incident.”
89
SEC Cybersecurity Disclosure Rules Checklist
Data and relationship mapping identifies relationships between your

organization and third, fourth or Nth parties to visualize information paths
and reveal at-risk data.
Prevalent also provides access to a database containing 10+ years of data
breach history for thousands of companies around the world – including
types and quantities of stolen data; compliance and regulatory issues; and
real-time vendor data breach notifications.
Armed with these insights, your team can better understand the scope and
impact of the incident; what data was involved; whether the third party’s
operations were impacted; and when remediations have been completed –
all by leveraging Prevalent experts.
Disclosure About Cybersecurity Incidents in Periodic Reports:

Updates to Previously Filed Form 8-K Disclosure
Item 106(d)(1) of Regulation S-K and Item 106(d)(2) of Regulation S-K
“Disclose: Prevalent continuously tracks and analyzes external threats to third

parties. The solution monitors the Internet and dark web for cyber threats
• Any material impact
and vulnerabilities, as well as public and private sources of reputational,
of the incident on the
sanctions and financial information.
registrant’s operations
and financial condition; All monitoring data is correlated with assessment results and centralized in
a unified risk register for each vendor, streamlining risk review, reporting,
• Any potential material
remediation and response initiatives.
future impacts on the
registrant’s operations Monitoring sources include:
and financial condition; • 1,500+ criminal forums; thousands of onion pages; 80+ dark web
• Whether the registrant
has remediated or is
leaked credentials — as well as several security communities, code
currently remediating the
repositories, and vulnerability databases covering 550,000 companies
incident; and • A database containing 10+ years of data breach history for thousands of
companies around the world
• Any changes in the
registrant’s policies and Prevalent also incorporates business, reputational and financial data to add
procedures as a result context to cyber findings and measure the impact of incidents over time.
of the cybersecurity
incident, and how the
incident may have
informed such changes.”
90
Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding

Cybersecurity Risks
1. Risk Management and Strategy, Item 106(b) of Regulation S-K
“The registrant has Prevalent partners with you to build a comprehensive third-party risk
a cybersecurity risk management (TPRM) program in line with your broader information security
assessment program and if and governance, risk and compliance programs based on proven best
so, provide a description of practices and extensive real-world experience.
such program;”
Our experts collaborate with your team on defining and implementing
TPRM processes and solutions; selecting risk assessment questionnaires
and frameworks; and optimizing your program to address the entire third-
party risk lifecycle – from sourcing and due diligence, to termination and
offboarding – according to your organization’s risk appetite.

• Clear roles and responsibilities (e.g., RACI)
• Risk scoring and thresholds based on your organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party criticality
• Sources of continuous monitoring data (cyber, business, reputational,

financial)
• Governing policies, standards, systems and processes to protect data
• Compliance and contractual reporting requirements against service levels
91
“The registrant engages Prevalent features a library of 200+ pre-built templates for third-party risk
assessors, consultants, assessments. Assessments can be conducted at the time of onboarding,
auditors, or other third contract renewal, or at any required frequency (e.g., quarterly or annually).
parties in connection with
Assessments are managed centrally in the Prevalent Platform, and are
any cybersecurity risk
backed by workflow, task management and automated evidence review
assessment program;”
capabilities to ensure that your team has visibility into third-party risks
throughout the relationship lifecycle.
Importantly, Prevalent delivers built-in remediation recommendations

based on risk assessment results to ensure that your third parties address
risks in a timely and satisfactory manner.
For organizations with limited resources and expertise, Prevalent can

manage the third-party risk lifecycle on your behalf – from onboarding
vendors and collecting evidence, to providing remediation guidance and
reporting on contract SLAs. As a result, you reduce vendor risk and simplify
compliance without burdening internal staff.
“The registrant has Prevalent enables you to assess and monitor your third parties based on
policies and procedures extent of the threats to your information assets by capturing, tracking and
to oversee and identify quantifying inherent risks for all third parties.
the cybersecurity risks
Criteria used to calculate inherent risk for third-party classification includes:
associated with its use of
any third-party service • Type of content required to validate controls
provider (including, but • Criticality to business performance and operations
not limited to, those
• Location(s) and related legal or regulatory considerations
providers that have
access to the registrant’s • Level of reliance on fourth parties (to avoid concentration risk)
customer and employee • Exposure to operational or client-facing processes
data), including whether
and how cybersecurity
considerations affect the • Financial status and health
selection and oversight • Reputation
of these providers
and contractual and From this inherent risk assessment, your team can automatically tier
other mechanisms the suppliers; set appropriate levels of further diligence; and determine the
company uses to mitigate scope of ongoing assessments.
cybersecurity risks related
Rule-based tiering logic enables vendor categorization using a range of data
to these providers;”
interaction, financial, regulatory and reputational considerations.
92
“The registrant undertakes Prevalent continuously tracks and analyzes external threats to third
activities to prevent, parties. The solution monitors the Internet and dark web for cyber threats
detect, and minimize and vulnerabilities, as well as public and private sources of reputational,
effects of cybersecurity sanctions and financial information.
incidents;”
All monitoring data is correlated with assessment results and centralized in
a unified risk register for each vendor, streamlining risk review, reporting,
remediation and response initiatives.
Monitoring sources include:

• 1,500+ criminal forums; thousands of onion pages; 80+ dark web special
access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials
— as well as several security communities, code repositories, and
vulnerability databases covering 550,000 companies
• A database containing 10+ years of data breach history for thousands of

companies around the world
“The registrant has Prevalent automates the assessment, continuous monitoring, analysis and
business continuity, remediation of risks to third-party business resilience and continuity – while
contingency, and recovery automatically mapping results to NIST, ISO and other control frameworks.
plans in the event of a
To complement its business resilience assessments and validate vendor
cybersecurity incident;”
questionnaire responses, Prevalent:
• Automates continuous cyber monitoring that may predict possible third-
party business impacts
• Accesses qualitative insights from over 550,000 public and private sources
of reputational information that could signal vendor instability
• Taps into financial information from a global network of 2 million businesses

to identify vendor financial health or operational concerns
This proactive approach enables your organization to minimize the impact

of third-party disruptions and stay on top of compliance requirements.

assessment based on ISO 22301 standard practices that enables you to:
• Categorize suppliers according to their risk profile and criticality to the business
• Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts, and third parties
• Ensure consistent communications with suppliers during business disruptions
93
When you need to terminate or exit critical services, you can leverage
customizable surveys and workflows to report on system access, data
destruction, access management, compliance with relevant laws, final
payments, and more. The Prevalent solution also suggests actions
based on answers to offboarding assessments and routes tasks to
reviewers as necessary.
“Previous cybersecurity With Prevalent, you can establish a program to efficiently achieve and
incidents have informed demonstrate third-party governance and compliance, while ensuring that
changes in the registrant’s policies and procedure evolve according to changing risk dynamics.
governance, policies
The solution automates third-party risk management compliance auditing
and procedures, or
by collecting vendor risk information, quantifying risks, recommending
technologies; ...
remediations, and generating reports for dozens of government regulations
"Cybersecurity related risk and industry frameworks.
and incidents have affected
Prevalent automatically maps information gathered from control-based
or are reasonably likely
assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite,
to affect the registrant’s
SOX, NYDFS, and other regulatory frameworks, enabling you to quickly
results of operations or
visualize and address important compliance requirements and adjust your
financial condition and if so,
program accordingly – including whether or not to accept residual risks.
how; and ...
"Cybersecurity risks are

considered as part of
the registrant’s business
strategy, financial planning,
and capital allocation and if
so, how.”
Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding

Cybersecurity Risks
1. Risk Management and Strategy, Item 106(b) of Regulation S-K
“Whether the entire Prevalent provides a framework for centrally measuring third-party
board, specific board KRIs against your requirements and reducing gaps in vendor oversight
members or a board with embedded machine learning (ML) insights and customizable,
committee is responsible role-based reports.
for the oversight of
The capabilities can help your team to uncover risk trends, determine
cybersecurity risks;
third-party risk status, and identify exceptions to common behavior that
could warrant further investigation.
94
“Whether and how the board Prevalent also improves efficiency by getting the right data into
or board committee considers the right hands at the right time. This makes it easy for report
cybersecurity risks as part of its recipients to quickly determine risk acceptability and make
business strategy, risk management, confident decisions, regardless of skill level.
and financial oversight.
“Whether certain management

positions or committees are
responsible for measuring and
managing cybersecurity risk,
specifically the prevention,
mitigation, detection, and
remediation of cybersecurity
incidents, and the relevant expertise
of such persons or members;
“Whether the registrant has a

designated chief information
security officer, or someone in a
comparable position, and if so, to
whom that individual reports within
the registrant’s organizational chart,
and the relevant expertise of any
such persons;
“The processes by which such

persons or committees are
informed about and monitor the
prevention, mitigation, detection,
and remediation of cybersecurity
incidents; and
“Whether and how frequently such

persons or committees report to the
board of directors or a committee
of the board of directors on
cybersecurity risk.”
95
SEC Cybersecurity Disclosure Rules Compliance
Prevalent solutions can help your organization to establish and mature your third-party cybersecurity risk
management, strategy, governance and incident disclosure program. With Prevalent, you can:
• Profile and tier all third parties, gaining inherent • Continuously monitor third parties for
risk scores that indicate the likelihood and impact cybersecurity risks and correlate risks against
of a cybersecurity incident and enable you to right- assessment results to validate findings
size ongoing due diligence activities
• Automate incident response processes, speeding
• Map fourth and Nth parties to identify reporting and time to resolution
concentration risk and reveal data flows across the
• Simplify board and executive reporting to enable
extended vendor ecosystem
clear and efficient decision making
• Automate third-party risk assessment, risk scoring
• Benchmark your program against accepted best
and remediation processes
practices with compliance reporting against
• Measure third-party business resilience against several frameworks and regulations
industry best practices
Contact Prevalent today for a free maturity assessment to determine how your TPRM policies stack
up to the SEC requirements, or schedule a demo to learn whether our solutions are a fit for you.
96
The Standard Information Gathering (SIG) Questionnaire
The Standard Information Gathering (SIG) questionnaire is a third-party risk questionnaire
created by the Shared Assessments membership organization. SIG is available in two
versions, Core and Lite, which equip organizations with industry-standard libraries
of curated questions to measure third-party risk across 19 different domains. Each
question is mapped to security controls across dozens of frameworks and compliance
requirements, enabling third-party risk standardization and improvement in adherence
with core TPRM compliance requirements.
SIG Lite vs. SIG Core

SIG Lite provides a high-level view of a SIG Core is more detailed and is designed to
company’s internal information control systems, assess third parties that store or maintain sensitive,
providing a basic level of assessment due regulated information. It provides a deeper level of
diligence. With 126 questions, SIG Lite can serve insight into how a third party protects information
as a preliminary evaluation before conducting a by including eight different risk domains and 855
more thorough assessment. questions covering 19 risk topics.
SIG Lite questions can also be used when a SIG Core also allows organizations to select and
third-party vendor or supplier has a low degree of customize the questions they want answered for
profiled risk and requires less due diligence than each vendor. It also includes extensive coverage
of legal requirements and best practices related
higher-risk vendors.
to protecting personal information.

The SIG Questionnaire
Prevalent licenses both the SIG Core and SIG Lite questionnaires in our Third-Party Risk Management
Platform, helping you to:
• Automate the collection and analysis of SIG • Proactively mitigate risk with access to centralized
questionnaire answers and supporting evidence remediation guidance
with a single platform
• Provide your team with reliable access to the latest
• Simplify regulatory and security framework version of the SIG questionnaire
reporting with additional, built-in control mappings
• Complement and validate SIG questionnaire
• Gain improved visibility into vendor risks with responses with continuous cyber, business,
machine learning analytics and reporting reputational, and financial risk monitoring
Contact Prevalent today to schedule a demo and learn about our solutions for automating
SIG assessments.
97
System and Organization Control (SOC) 2
The American Institute of Certified Public Accountants (AICPA) Assurance Services
Executive Committee (ASEC) developed trust services criteria for organizations to use as a
framework for demonstrating the confidentiality, integrity and availability of systems and data.
Organizations familiar with System and Organization Control (SOC) 2 audits will recognize that
these trust services criteria are used to report on the effectiveness of their internal controls
and safeguards over infrastructure, software, people, procedures, and data.
With technology outsourcing becoming ever more widespread, organizations must ensure that their third-
party vendors store, process, and maintain data in accordance with the highest levels of security control.
This section examines controls and guidance in the AICPA standard and identifies capabilities in the
Prevalent Third-Party Risk Management Platform that can be used to meet SOC 2 requirements for stronger
data security throughout the supply chain.
Trust Services Criteria in SOC 2 Reports

SOC 2 audits provide a comprehensive view into the following AICPA trust services categories:
• Security: Protecting information and systems against

unauthorized access, unauthorized disclosure of information,
and damage to systems that could compromise the availability,
integrity, confidentiality, and privacy of information or systems and
affect the entity’s ability to meet its objectives.
• Availability: Ensuring the availability of information and systems

for operation and use to meet the entity’s objectives.
• Processing integrity: Ensuring that system processing is

complete, valid, accurate, timely, and authorized to meet the
entity’s objectives.
• Confidentiality: Protecting information designated as confidential

to meet the entity’s objectives.
• Privacy: Ensuring that personal information collected, used,

retained, disclosed, and disposed meets the entity’s objectives.
Once the controls audit is complete, outputs can include either a Type 1 report, which looks at a service
provider’s system and the suitability of the design of controls at a point in time; or a Type 2 report, which
adds to the Type 1 report by also looking at the operating effectiveness of controls over a period of time.
Organizations across multiple industries use SOC 2 reports to demonstrate due diligence to clients,
differentiate themselves from competitors based on their security posture, or be proactive with auditors in
measuring compliance against data protection regulations.
However, with 61 criteria across more than 300 points of focus, it can quickly become overwhelming for
organizations standardizing on a SOC 2 report to understand how to evaluate third parties for control
weaknesses that could result in a business disruption.
98
Mapping Prevalent Capabilities to AICPA Trust Service Criteria for
SOC 2 Reporting
Many companies have third parties that choose to submit SOC 2 reports instead of complete third-party
risk assessments, so it’s important to consistently evaluate all vendors. The summary table below maps
capabilities in the Prevalent Third-Party Risk Management Platform to select AICPA trust services criteria.
Organizations can leverage the Prevalent platform to understand and mitigate risks, regardless of how risks
are reported.
the complete AICPA standard in detail and consult your auditor.
Table 1. Prevalent Mappings to AICPA Trust Services Criteria
Trust Services Criteria How Prevalent Helps
CC2.3: The entity communicates with external parties regarding matters affecting the functioning
of internal control.
Communicates Objectives Related to The Prevalent Third-Party Risk Management (TPRM)

Confidentiality and Changes to Objectives — Platform centrally manages dialogue about risks,
The entity communicates, to external users, reporting and remediations between organizations
vendors, business partners, and others whose and their third-party vendors, suppliers and partners.
products and services are part of the system,
In addition, the Platform enables reporting, policy
objectives and changes to objectives related
documents, contracts and supporting evidence to be
to confidentiality.
stored for dialogue, attestation and sharing.
Communicates Objectives Related to
Together, these capabilities ensure that
Privacy and Changes to Objectives — The
organizations have a single repository for visualizing
entity communicates, to external users,
and managing risks, vendor documentation and
vendors, business partners, and others whose
remediations.
products and services are part of the system,
objectives related to privacy and changes to
those objectives.
99
SOC 2 Checklist
CC3.2: The entity identifies risks to the achievement of its objectives across the entity and
analyzes risks as a basis for determining how the risks should be managed.
Analyzes Threats and Vulnerabilities From The Prevalent TPRM Platform enables organizations
Vendors, Business Partners, and Other to automate the critical tasks required to assess,
Parties — The entity’s risk assessment manage, continuously monitor, and remediate third-
process includes the analysis of potential party security, privacy, compliance, supply chain and
threats and vulnerabilities arising from procurement-related risks across every stage of the
vendors providing goods and services, as well vendor lifecycle – from onboarding to offboarding.
as threats and vulnerabilities arising from
The solution includes the ability to issue and manage
business partners, customers, and others with
point-in-time risk assessments using more than 75
access to the entity’s information systems.
different templates, analyze the results, as well as
continuously monitor third-party cyber, business,
reputational, and financial risks for a holistic view of
third parties.
Built-in reporting templates ensure that security

and risk management teams can communicate risk
assessment results to executives and other decision-
makers and stakeholders.
CC3.4: The entity identifies and assesses changes that could significantly impact the system of
internal control.
Assesses Changes in Vendor and The Prevalent Platform leverages customizable

Business Partner Relationships — The risk surveys and workflows to report on system access,
identification process considers changes in data destruction, access management, compliance
vendor and business partner relationships. with all relevant laws, final payments, and more
during offboarding to ensure that as agreements
change, so do responsibilities.
In addition, Prevalent offers Contract Essentials, a

solution that centralizes the distribution, discussion,
retention, and review of vendor contracts. It includes
workflow capabilities to automate the contract
lifecycle from onboarding to offboarding.
100
SOC 2 Checklist
CC9.2: The entity assesses and manages risks associated with vendors and business partners.
Establishes Requirements for Vendor and Prevalent Contract Essentials helps vendor
Business Partner Engagements — The management, procurement and legal teams simplify
entity establishes specific requirements for the process of establishing and negotiating contract
a vendor and business partner engagement terms and SLAs, managing redlines, and securing
that includes (1) scope of services and product approvals through workflow. The solution is fully
specifications, (2) roles and responsibilities, integrated with the complete TPRM Platform
(3) compliance requirements, and (4) ensuring that organizations can manage vendor
service levels. contracts with the same discipline that they manage
vendor risks.
Assesses Vendor and Business Partner Risks The Prevalent Platform enables organizations to
— The entity assesses, on a periodic basis, automate the critical tasks required to assess,
the risks that vendors and business partners manage, continuously monitor and remediate third-
(and those entities’ vendors and business party security, privacy, compliance, supply chain and
partners) represent to the achievement of the procurement-related risks across every stage of the
entity’s objectives. vendor lifecycle – from onboarding to offboarding.
Assigns Responsibility and Accountability With the Prevalent Platform, security and risk
for Managing Vendors and Business management teams can manually assign tasks
Partners — The entity assigns responsibility related to managing assessments risks, or leverage
and accountability for the management a pre-packaged library of ActiveRules to automate
of risks associated with vendors and a range of tasks normally performed as part of
business partners. the assessment and review processes – such as
updating vendor profiles and risk attributes, sending
notifications, or activating workflow – utilizing if-this,
then-that logic.
Assesses Vendor and Business Partner The Prevalent Platform enables vendor management
Performance — The entity periodically teams to establish requirements to track and to
assesses the performance of vendors and centralize SLA and performance reporting against
business partners. those requirements through a single reporting and
analytics dashboard.
101
SOC 2 Checklist
Implements Procedures for Addressing The Prevalent Platform features reporting that
Issues Identified During Vendor and reveals risk trends, status and exceptions to common
Business Partner Assessments — The behavior for individual vendors or groups with
entity implements procedures for addressing embedded machine learning insights. With this
issues identified with vendor and business capability, teams can quickly identify outliers across
partner relationships. assessments, tasks, risks, etc. that could warrant
further investigation.
Implements Procedures for Terminating The Prevalent Platform leverages customizable

Vendor and Business Partner Relationships surveys and workflows to report on system access,
— The entity implements procedures data destruction, access management, compliance
for terminating vendor and business with all relevant laws, final payments, and more
partner relationships. during offboarding.
Assesses Compliance With Confidentiality The Prevalent Platform enables risk management and
Commitments of Vendors and Business compliance teams to automatically map information
Partners — On a periodic and as-needed gathered from controls-based vendor assessments
basis, the entity assesses compliance to regulatory frameworks including ISO 27001, NIST,
by vendors and business partners with CMMC, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX,
the entity’s confidentiality commitments NYDFS, and more to quickly visualize and address
and requirements. important compliance requirements.
Assesses Compliance with Privacy

Commitments of Vendors and Business
Partners — On a periodic and as-needed
basis, the entity assesses compliance
by vendors and business partners with
the entity’s privacy commitments and
requirements and takes corrective action
as necessary.
102
SOC 2 Checklist
P6.4: The entity obtains privacy commitments from vendors and other third parties who have
access to personal information to meet the entity’s objectives related to privacy. The entity
assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action,
if necessary.
Discloses Personal Information Only to Prevalent includes built-in assessments for data
Appropriate Third Parties — Personal protection regulations such as GDPR, CCPA, HIPAA
information is disclosed only to third parties and NYDFS. Results from these assessments are
who have agreements with the entity to mapped into a central risk register where security and
protect personal information in a manner risk management teams can visualize and take action
consistent with the relevant aspects of the on potential risks to data and compare a vendor’s
entity’s privacy notice or other specific actions against their contractual obligations.
instructions or requirements. The entity
has procedures in place to evaluate that the
third parties have effective controls to meet
the terms of the agreement, instructions,
or requirements.
Remediates Misuse of Personal Information The Prevalent Platform includes built-in remediation
by a Third Party — The entity takes remedial guidance and recommendations. Security and risk
action in response to misuse of personal management teams can efficiently communicate with
information by a third party to whom the entity vendors and coordinate remediation efforts through
has transferred such information. the Platform, capture and audit conversations, and
record estimated completion dates.
P6.5: The entity obtains commitments from vendors and other third parties with access to
personal information to notify the entity in the event of actual or suspected unauthorized
disclosures of personal information. Such notifications are reported to appropriate personnel
and acted on in accordance with established incident-response procedures to meet the entity’s
objectives related to privacy.
Remediates Misuse of Personal Information The Prevalent Third-Party Incident Response Service
by a Third Party — The entity takes remedial enables security and risk management teams to
action in response to misuse of personal rapidly identify and mitigate the impact of data
information by a third party to whom the entity privacy incidents by centrally managing vendors,
has transferred such information. conducting event assessments, scoring identified
risks, and accessing remediation guidance.
Reports Actual or Suspected Unauthorized
Disclosures — A process exists for obtaining
commitments from vendors and other
third parties to report to the entity actual
or suspected unauthorized disclosures of
personal information.
103
SOC 2 Compliance
The AICPA SOC 2 report is an industry-standard framework for IT

services companies to assess their controls over customer data. Since
some organizations that lack internal resources for responding to
security assessments will provide a SOC 2 report to their customers
instead, it can be time consuming and complex for teams to map SOC 2
report results into a risk management solution for proper risk tracking.
The Prevalent SOC 2 Report Review Service is a managed service

delivered by the Risk Operations Center (ROC) that transposes SOC 2
report control exceptions into risks in the Prevalent Third-Party Risk
Management Platform. The resulting unified risk register enables
coordinated risk response and remediation following a standardized
approach and ensures that you have a comprehensive profile of all
vendors – even for those that submit a SOC 2 report in lieu of a full
security assessment.
Contact Prevalent today for a free maturity assessment to determine

how your current TPRM policies stack up to the AICPA trust services
criteria, or, learn more about how Prevalent can help simplify SOC 2
report reviews.
104
Maturing and Optimizing Your Third-Party Risk
Management Program
With the Prevalent TPRM Platform, your organization can effectively adapt to the ever-changing regulatory
landscape for third-party risk management. Our recommend approach follows best practices guidance for a
closed-loop third-party risk management program.
With Prevalent, you can mature your third-party risk management program from reactive, low-visibility and
low-efficiency, to proactive, intelligent and agile. Key steps include:
1. Manage all your vendors in one place: The first step is to take control of your third-party ecosystem by
onboarding vendors and getting a picture of their inherent risk. You can do that yourself, or you can have
Prevalent do it for you.
2. Get out of spreadsheet jail: Next, get out of spreadsheet jail with an automated assessment solution
that enables everyone to collaborate on industry-standard questionnaires. Again, you’re welcome to do
that yourself, or Prevalent can do it for you.
3. Make smarter decisions: Then, validate assessment responses against external cyber security
scores and business risk intelligence from continuous monitoring across thousands of public and
private sources.
4. Fix what’s important: Next, prioritize and fix what’s important to your organization by consulting a
centralized risk register that unifies assessment data and monitoring intelligence for each vendor.
5. Continuous, intelligent and automated: Finally, this gets you to a place where the third-party risk
management process is much more predictable and proactive, with continuous risk insights informing
your assessment cadence.
Following this process enables you to not only able to reveal potential compliance issues, but also adhere to
the TPRM lifecycle recommended by most regulatory bodies. By combining automated vendor assessments
with continuous risk monitoring, you gain a 360-degree view of third-party risk. This results in more secure,
more compliant operations between your organization and its vendors, suppliers and business partners.
To see if Prevalent is right for you, request a demo today.
105
How Prevalent Can Help
Prevalent delivers a unified third-party risk management platform that enables you
to better reveal, interpret and alleviate risk at every stage of the vendor lifecycle. By
combining automated assessment with continuous threat monitoring, Prevalent enables
your organization to simplify compliance, reduce security risks, and improve efficiency.
Key capabilities include:
• A library of 200+ pre-defined, customizable assessment questionnaires, backed by automated

capabilities for gathering and analyzing vendor data
• Bi-directional remediation workflows to facilitate risk management and mitigation, with complete audit
trails for all vendor communications and risk decisions
• A central reporting interface for visualizing compliance and risk status across the vendor landscape
• Deep data security auditing and business monitoring capabilities that enable you to move beyond
tactical network health reporting to reveal critical operational, financial, legal and brand risks
With Prevalent, you gain a 360-degree view of vendor risk for managing regulatory compliance and aligning
with industry standards and guidelines.
To learn how Prevalent can assist with your specific compliance requirements, request a demo today.
106
About Prevalent
Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and
services to eliminate the security and compliance exposures that come from working with vendors and
suppliers across the entire third-party lifecycle. Our customers benefit from a flexible, hybrid approach
to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on
investment. Regardless of where they start, we help our customers stop the pain, make informed decisions,
and adapt and mature their TPRM programs over time.
To learn more, please visit www.prevalent.net.
© Prevalent, Inc. All rights reserved. The Prevalent name and logo are trademarks or registered trademarks of Prevalent, Inc.
All other trademarks are the property of their respective owners. 4/23
107

Third-Party Risk Management Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Third-Party Risk Management Guide

Uploaded by

Copyright:

Available Formats

Third-Party Risk Management Guide:

The Cybersecurity Framework

Cybersecurity Frameworks Focusing on Third-Party Risk................................. 3

CIS Critical Security Controls 15 and 17............................................................. 4

Consensus Assessments Initiative Questionnaire (CAIQ)................................ 14

Cybersecurity Maturity Model Certification (CMMC)....................................... 16

Executive Order on Improving the Nation’s Cybersecurity ............................... 22

ISO 27001, 27002 & 27036-2 ........................................................................... 26

NCSC Supply Chain Cyber Security Guidance.................................................. 53

NIST SP 800-53, SP 800-161 and CSF.............................................................. 62

Payment Card Industry Data Security Standard (PCI DSS)............................... 85

SEC Cybersecurity Disclosure Rules ................................................................ 88

Standard Information Gathering (SIG) Questionnaire ...................................... 97

System and Organization Control (SOC) 2 ....................................................... 98

How Prevalent Can Help....................................................................................... 106

About Prevalent ................................................................................................... 107

Complying with TPRM Regulations, Guidelines and Standards

2. Include these rules, as well as auditing requirements, in all third-party contracts

3. Evaluate third parties via questionnaire-based risk assessments

4. Measure performance against contractual service level agreements

5. Continuously monitor third parties to verify compliance

• IG3 includes Safeguards meant to address sophisticated cyberattacks

Meeting Requirements in Critical Security Controls 15 and 17

Safeguard How Prevalent Helps

• Risk scoring and thresholds based on your organization’s

Safeguard How Prevalent Helps

(continued from previous page)

• Assessment and monitoring methodologies based on third-

• Sources of continuous monitoring data (cyber, business,

• Key performance indicators (KPIs) and key risk

• Governing policies, standards, systems and processes to

• Compliance and contractual reporting requirements against

• Incident response requirements

• Risk and internal stakeholder reporting

• Risk mitigation and remediation strategies

Safeguard How Prevalent Helps

(continued from previous page)

From this inherent risk assessment, your team can

Rule-based tiering logic enables vendor categorization using

“Ensure service provider contracts Key capabilities include:

• Role-based permissions that enable allocation of duties,

Safeguard How Prevalent Helps

For third parties that submit a SOC 2 report instead of a

• A database containing 10+ years of data breach history for

Safeguard How Prevalent Helps

(continued from previous page)

Because not all threats are direct cyberattacks, Prevalent also

• 550,000 public and private sources of reputational

• A global network of 2 million businesses with 5 years

• 30,000 global news sources

• A database containing over 1.8 million politically exposed

• Global sanctions lists and over 1,000 global enforcement

All monitoring data is correlated with assessment results

Safeguard How Prevalent Helps

(continued from previous page)

• Take actionable steps to reduce vendor risk with built-in

• Visualize and address compliance requirements by

Control 17: Incident Response Management

Safeguard How Prevalent Helps

• Built-in report templates

Safeguard How Prevalent Helps

17.2 Establish and Maintain (continued from previous page)

IG1,2,3 By centralizing third-party incident response in a single system

17.3 Establish and Maintain an