TPM-05.6 ยท First-Party Declaration (1PD)

Control Description

Mechanisms exist to obtain a First-Party Declaration(1PD) from applicable External Service Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity and data protection controls, including any flow-down requirements to subcontractors.

Control Question
Assessment question for control validation

Does the organization obtain a First-Party Declaration (1PD) from applicable External Service Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity and data protection controls, including any flow-down requirements to subcontractors?

Control Weighting
7
Validation Cadence
Semi-Annual
NIST CSF Function
Identify
Supply Chain Risk Management (SCRM) Tiers
Applicable SCRM tier levels for this control
Tier 2 - Operational
Core Control Designations
Special designations and baseline inclusions
MAD: TPM-05.6
ESP Level 1: TPM-05.6
ESP Level 2: TPM-05.6
ESP Level 3: TPM-05.6
Additional Metadata
Applicability (Process):
x
Errata & Additional Notes

- wordsmithed control