TPRM Resources
Quick reference for compliance standards, risk management frameworks, and due diligence fundamentals.
For Compliance Teams
SOC 2 CC9.2 Vendor Management Evidence
SOC 2 CC9.2 requires organizations to assess and manage risks associated with third-party service providers. But most compliance teams misunderstand what audito...
Automate Vendor Due Diligence
Manual vendor due diligence costs $200-600 per vendor in analyst time, takes 4-6 hours per assessment, and produces inconsistent results that depend on who perf...
Vendor Risk Management for Startups
Most startups discover they need vendor risk management the same way — a prospect's security questionnaire asks for their vendor assessment process, or their SO...
HIPAA Vendor Due Diligence
Most healthcare organizations treat the Business Associate Agreement (BAA) as their entire vendor due diligence process — sign the BAA, file it, move on. But HI...
PCI DSS Vendor Requirements
PCI DSS Requirement 12.8 mandates that organizations maintain and manage third-party service providers (TPSPs) that handle cardholder data or could affect the s...
CMMC Vendor Risk Documentation
CMMC Level 2 certification requires defense contractors to implement supply chain risk management practices that go beyond basic vendor tracking. Assessors eval...
Deep Dive Guides
What Is Third-Party Risk Management (TPRM)?
Third-party risk management (TPRM) is the process of identifying, assessing, monitoring, and mitigating the risks that arise when organizations rely on external...
Vendor Due Diligence Checklist
Before you onboard a vendor that touches sensitive data, here is everything you need to check — and what to document. This checklist is organized by assessment ...
Vendor Risk Assessment Template
A vendor risk assessment is a structured evaluation that scores and classifies vendors by risk level based on the type of data they access, their security postu...
SOC 2 Vendor Assessment Guide
SOC 2 (System and Organization Controls 2) is the most widely requested vendor assurance report in the technology industry. Developed by the AICPA, SOC 2 evalua...
What Is Vendor Risk Management (VRM)?
Vendor risk management (VRM) is the discipline of identifying, evaluating, and controlling risks associated with third-party vendors and suppliers. While closel...
Sanctions Screening for Vendor Due Diligence
Sanctions screening is the process of checking whether a vendor, its principals, or its parent entities appear on government-maintained sanctions lists — primar...
FedRAMP Vendor Authorization Status
FedRAMP (Federal Risk and Authorization Management Program) is the US government's standardized approach to security assessment, authorization, and continuous m...
What Compliance Teams Expect in Vendor Risk Reports
Your auditor just asked for your CC9.2 vendor management evidence. What exactly do they want to see? After reviewing hundreds of vendor risk assessments across ...
Present Vendor Due Diligence to Your SOC 2 Auditor
CC9.2 is the control where most SOC 2 audits hit friction. Here is how to walk into fieldwork with your vendor management evidence already accepted....
Vendor Risk Assessment Without Questionnaires
Security questionnaires take 4-6 weeks, require vendor cooperation, and produce self-reported data you cannot verify. There is a better way....
HIPAA Vendor Risk Assessment Requirements
The HIPAA Security Rule requires covered entities to assess the risk of every business associate that touches PHI. Most organizations do this with a spreadsheet...
FedRAMP Compliance Check — Verify Vendor Status
Your procurement team just asked whether a vendor is FedRAMP authorized. Here is how to check — and what to do when they are not....
FedRAMP Authorized Vendor List (2026)
FedRAMP (Federal Risk and Authorization Management Program) is the US government's standardized approach to security assessment, authorization, and continuous m...
Vendor AI Data Usage Risk: What Compliance Teams Need to Know
Vendor AI data usage risk is the risk that a third-party vendor uses your organization's data to train artificial intelligence models, shares it with third-part...
Cost of Building a TPRM Program in 2026
Every organization that works with vendors needs some form of third-party risk management. But the cost of building that program varies wildly — from a single a...
How to Verify Vendor SOC 2 Compliance
A vendor says they're SOC 2 compliant. But how do you actually verify that claim before signing a contract and handing over sensitive data? Unlike FedRAMP or IS...
How to Read a SOC 2 Report
You've requested a vendor's SOC 2 Type II report and received a 100-page PDF. Now what? Most compliance teams skim the cover letter and file the report away, bu...
FedRAMP Authorized Storage Vendors
If your organization handles federal data or serves government agencies, your cloud storage provider must be FedRAMP authorized. This isn't optional — it's a co...
FedRAMP Authorized Collaboration Tools
Collaboration tools handle some of the most sensitive data in any organization — real-time conversations, shared files, screen recordings, and meeting transcrip...
AI Vendor Risk Assessment
AI-powered tools have moved from experimental pilots to core business infrastructure in less than three years. Your engineering team uses AI code assistants, yo...
CMMC Vendor Requirements for Defense Contractors
The Cybersecurity Maturity Model Certification (CMMC) program has transformed vendor management from a best-practice recommendation into a contract-losing liabi...
DORA Vendor Due Diligence Requirements
The Digital Operational Resilience Act (DORA) represents the European Union's most significant regulatory intervention in ICT third-party risk management for fi...
How to Check If a Vendor Is SOC 2 Certified
There is no public database of SOC 2 certified companies. Unlike FedRAMP, which maintains a public marketplace, or PCI DSS, which has a qualified service provid...
AI Vendor Risk Assessment: How to Evaluate ChatGPT, Copilot & AI Tools
AI tools introduce vendor risks that traditional assessment frameworks were not designed to catch. When employees use ChatGPT, GitHub Copilot, or Google Gemini,...
FERPA Vendor Risk Assessment for Schools & Universities
FERPA (the Family Educational Rights and Privacy Act) requires schools and universities to protect student education records — and that obligation extends to ev...
Security Questionnaire Alternatives: Assess Vendors Without Waiting
The vendor security questionnaire is the most universally disliked process in cybersecurity. Vendors hate filling them out — a single enterprise questionnaire c...
What Is a Vendor Risk Score? How Scoring Works
A vendor risk score is a standardized measure of the risk a third-party vendor poses to your organization, typically expressed as a numeric rating, letter grade...
Vendor Due Diligence for Financial Services: OCC & FFIEC Requirements
Financial institutions face the most prescriptive vendor management requirements of any industry. OCC Bulletin 2023-17 (which superseded the influential 2013-29...
Third-Party Risk Assessment for Healthcare Organizations
Healthcare third-party breaches are not a theoretical risk — they are the dominant breach vector. According to HHS breach data, approximately 40% of healthcare ...
Vendor Risk Assessment Checklist (2026)
This is the vendor risk assessment checklist your team can use immediately. It covers five risk categories — security, compliance, financial, operational, and r...
StateRAMP Vendor Requirements: What You Need to Know
StateRAMP provides a standardized cybersecurity framework for vendors serving state and local government agencies. Modeled on FedRAMP but adapted for the state ...
How to Evaluate SaaS Vendor Security: A Practical Guide
Every SaaS application your organization adopts becomes part of your security perimeter. When your team uses Notion for documentation, Asana for project managem...
Compliance Standards
PCI DSS
Payment Card Industry Data Security Standard
Security standard for organizations that handle credit card data. Covers network security, data protection, vulnerability management, and access control.
Official Documentation →HIPAA
Health Insurance Portability and Accountability Act
US federal law requiring protection of patient health information. Covers Privacy Rule, Security Rule, Breach Notification, and Business Associate requirements.
Official Documentation →SOX
Sarbanes-Oxley Act
US law mandating financial reporting controls for public companies. Covers internal controls over financial reporting, IT general controls, and access management.
Official Documentation →SOC 2
System and Organization Controls
AICPA framework covering security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II is the most widely requested vendor assurance report.
Official Documentation →GDPR
General Data Protection Regulation
EU regulation governing collection, processing, and storage of personal data. Establishes data subject rights and mandatory 72-hour breach notification.
Official Documentation →CCPA / CPRA
California Consumer Privacy Act
California privacy laws granting consumers rights over personal information including rights to know, delete, opt-out, and limit use of sensitive data.
Official Documentation →Risk Management Frameworks
NIST CSF 2.0
Cybersecurity Framework
Voluntary framework organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover.
Official Documentation →NIST 800-53
Security & Privacy Controls
Comprehensive catalog of 1,000+ controls across 20 families for federal systems, widely adopted in private sector.
Official Documentation →ISO 27001 / 27002
Information Security Management
International standard specifying ISMS requirements (27001) with 93 implementation controls (27002).
Official Documentation →COSO ERM
Enterprise Risk Management
Integrated framework covering governance, strategy, performance, review, and communication for enterprise risk.
Official Documentation →SIG
Standardized Information Gathering
Shared Assessments questionnaire covering 18+ risk domains with 800+ questions for third-party assessment.
Official Documentation →TPRM Lifecycle
Planning & Scoping
Define TPRM strategy, identify vendors requiring assessment, establish risk appetite and criteria.
Selection & Due Diligence
Evaluate vendors through risk assessments, security reviews, compliance verification, and financial analysis.
Contract Negotiation
Establish SLAs, data protection clauses, right-to-audit, breach notification, and termination clauses.
Ongoing Monitoring
Continuous oversight through periodic reassessments, incident monitoring, and risk posture tracking.
Termination & Offboarding
Data return/destruction, access revocation, transition planning, and final compliance verification.
Continuous Improvement
Program evaluation, metrics analysis, regulatory adaptation, and process optimization.
Due Diligence Activities
Get the full knowledge base
inside ThirdProof
Logged-in users get detailed breakdowns, ThirdProof coverage mapping, and authoritative source links for every standard, framework, and activity.
Start Free Trial →