Cybersecurity requirements (for example, vulnerability notification, incident-related SLA requirements) are formalised in agreements with suppliers and other third parties
Context and Guidance: Requirements in the form of contractual specifications provide the basis for formal agreements that are established to define and govern the relationships between the organisation and the actions of external entities, including changes that relate to delivered products or services. For each third-party agreement, the organisation should establish a detailed set of specifications that the third party must meet. These should include the cybersecurity requirements that the organisation expects the third party to meet. It is important that these specifications be thorough, detailed, definitive, adequate for use as criteria when selecting external entities, suitable as language in agreements with external entities, and appropriate for use as a basis for monitoring the performance of the third party. Ideally, legal and technical staff will work closely together in the development of these requirements. For example, technical staff may face challenges regarding configuration management when there is shared responsibility for the operation of assets. The organisation may consider using contract language to ensure responsibility is properly assigned for addressing configuration issues. Agreement language can be used to specify expectations and requirements for vulnerability or incident notification, including timelines, whether notification is required prior to public disclosure, and communication mechanisms to be used. Such specifications are often documented in service level agreements (SLAs) that are included in requests for proposals (RFPs). The agreement language should define what constitutes an event, incident, and vulnerability related to the delivery of the product or service. For example, a service outage in one region of the country that might affect other regions could be an event that the service provider should inform the organisation about.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2c, THIRD-PARTIES-2f, THIRD-PARTIES-2g, THIRD-PARTIES-2h.