Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Security & Privacy Capability Maturity Model (SP-CMM) Use Case #3 – Provide Objective Criteria To Evaluate Third-Party Service Provider Security

Security & Privacy Capability Maturity Model (SP-CMM) Use Case #3 – Provide Objective Criteria To Evaluate Third-Party Service Provider Security

Posted by SCF Council on Apr 19th 2023

The Secure Controls Framework (SCF) release 2023.2 contains completely new content for its Security & Privacy Capability Maturity Model (SP-CMM). This effort was conducted to help streamline and standardize maturity criteria. One of the use cases for the SP-CMM is to provide minimum criteria that can be used to evaluate third-party service provider controls.

SP-CMM Use Case #3 – Provide Objective Criteria To Evaluate Third-Party Service Provider Security

It is commonplace for Third-Party Service Providers (TSPs), including vendors and partners, to be contractually bound to implement and manage a baseline set of cybersecurity and privacy controls. This necessitates oversight of TSPs to ensure controls are properly implemented and managed.

Identifying The Problem

In managing a cybersecurity and privacy program, it is important to address controls in a holistic manner, which includes governing the supply chain. TSPs are commonly considered the “soft underbelly” for an organization’s security program, since TSP oversight has traditionally been weak or non-existent in most organizations. There have been numerous publicized examples of TSPs being the source of an incident or breach.

One of the issues with managing TSPs is most questionnaires ask for simple yes, no or not applicable answers. This approach lacks details that provide critical insights into the actual security posture of the TSP. The SP-CMM can be used to obtain more nuanced answers from TSPs by having those TSPs select from L0-5 to answer if the control is implemented and how mature the process is.


Referencing back to the SP-CMM Overview section of this document, L0-1 levels of maturity are identified as being deficient from a “reasonable person perspective” in most cases. Therefore, organizations need to look at the “capability maturity sweet spot” between L2-L4 to identify the reasonable people, processes and technologies that need TSPs need to be able to demonstrate to properly protect your systems, applications, services and data, regardless of where it is stored, transmitted or processed. From a TSP management perspective, this is often going to limit target CMM levels to L2-3 for most organizations.

TSP controls are expected to cover both your internal requirements, as well as external requirements from applicable laws, regulations and contracts. Using the SP-CMM can be an efficient way to provide a level of quality control over TSP practices. Being able to demonstrate proper cybersecurity and privacy practices is built upon the security principles of protecting the confidentiality, integrity, availability and safety of your assets, including data.

Identifying A Solution

While there are over 1,000 controls in the SCF’s controls catalog, it is necessary to pare down that catalog to only what is applicable to that specific TSP’s scope of control (e.g., Managed Service Provider (MSP), Software as a Service (SaaS) provider, etc.). This step simply involves filtering out the controls in the SCF that are not applicable. This step can also be done within Excel or within a GRC solution (e.g., SCF Connect). In the end, the result is a tailored set of controls that address the TSP’s specific aspects of the cybersecurity & privacy controls that it is responsible for or influences.

Now that you have pared down the SCF’s controls catalog to only what is applicable, it is a manual review process to identify the appropriate level of maturity for each of the controls that would be expected for the TSP. Ideally, the TSP will inherit the same target maturity level for controls as used throughout the organization. For any deviations, based on contract clauses, budget, time or other constraints, a risk assessment should be conducted to ensure a lower level of maturity for TSP-specific controls is appropriate.