Requirement:
The cybersecurity requirements for contracts and agreements with third-parties (e.g., Service Level Agreement (SLA)) -which may affect, if impacted, the organization's data or services- must include at least the following:
Sub-Controls:
4-1-2-1:
Requirement:
Non-disclosure clauses and secure removal of organization's data by third parties upon end of service.
Control Implementation Guidelines:
- Define and document the requirements of this control in the cybersecurity requirements and approve them by the representative, provided that the cybersecurity requirements include non-disclosure requirements and secure removal by the third party of the organization's data upon service termination
- Include in the organization's contracts with third parties clauses stating the third party's commitment to maintain the confidentiality of the information
- Include in the organization's contracts with third parties clauses stating that the third party must be obligated to safely remove the organization's data upon the expiry of the contract/service period
Expected Deliverables:
- Cybersecurity policy that covers the requirements of contracts and agreements with third-parties (e.g., electronic copy or official hard copy)
- Signed sample of a contract or agreement with third parties indicating the inclusion of confidentiality clauses and secure removal of data (hard copy or electronic copy)
4-1-2-2:
Requirement:
Communication procedures in case of cybersecurity incidents.
Control Implementation Guidelines:
- Define and document the requirements of this control in the cybersecurity requirements document and approve them by the representative, provided that they include the requirements of the communication procedures in the event of a cybersecurity incident
- Include in the organization's contracts with third parties clauses stating the third party's obligation to define the communication procedures in the event of a cybersecurity incident
- Ensure that third parties develop communication procedures with the organization, including communication means and data in the event of a cybersecurity incident that may affect the organization's data or service provided by the third party. These requirements include:
- Communication data (e.g., e-mail)
- The mechanism for reporting the cybersecurity incident (and its classification) to the organization
- Escalation mechanisms
Expected Deliverables:
- Cybersecurity policy that covers the requirements of contracts and agreements with third-parties (e.g., electronic copy or official hard copy)
- Procedures adopted with third parties to communicate in the event of a cybersecurity incident through which the organization's data or service may be affected
4-1-2-3:
Requirement:
Requirements for third-parties to comply with related organizational policies and procedures, laws and regulations.
Control Implementation Guidelines:
- Define and document the requirements of this control in the cybersecurity requirements document and approve them by the representative, provided that they include the requirements of third parties' obligation to apply the organization's cybersecurity requirements and policies and the relevant laws and regulations
- Include in the organization's contracts with third parties clauses stating that the third party must be obligated to implement the organization's cybersecurity requirements and policies and the relevant laws and regulations
Expected Deliverables:
- Cybersecurity policy that covers the requirements of contracts and agreements with third-parties (e.g., electronic copy or official hard copy)
- Signed sample of a contract or agreement with third parties indicating the obligation of third parties to apply the organizations cybersecurity requirements and policies and the relevant laws and regulations
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.