TPM-05.8: Third-Party Attestation (3PA)

TPM-05.8 · Third-Party Attestation (3PA)

Control Description

Mechanisms exist to obtain an attestation from an independent Third-Party Assessment Organization (3PAO) that provides assurance of conformity with specified statutory, regulatory and contractual obligations for cybersecurity and data protection controls, including any flow-down requirements to contractors and subcontractors.

Control Question

Assessment question for control validation

Does the organization obtain an attestation from an independent Third-Party Assessment Organization (3PAO) that provides assurance of conformity with specified statutory, regulatory and contractual obligations for cybersecurity and data protection controls, including any flow-down requirements to contractors and subcontractors?

Control Weighting

Validation Cadence

Semi-Annual

NIST CSF Function

Govern

Supply Chain Risk Management (SCRM) Tiers

Applicable SCRM tier levels for this control

Tier 1 - Strategic

Tier 2 - Operational

Core Control Designations

Special designations and baseline inclusions

MAD: TPM-05.8

ESP Level 2: TPM-05.8

ESP Level 3: TPM-05.8

Additional Metadata

Applicability (Process):

Errata & Additional Notes

- wordsmithed control