The CDPAS is a cohesive, consistent set of standards to govern cybersecurity and data protection related Third-Party Assessment, Attestation and Certification Services (3PAAC Services). By following the CDPAS methodology, practitioners can improve the currently disjointed approach used to perform assessments of cybersecurity and/or data privacy controls.
The SCF took on an ambitious project to “build a better mousetrap” to fix the common complaints associated with audits and assessments. The CDPAS empowers organizations to develop cybersecurity and data protection assessment strategies tailored to their specific mission, business needs, threats, and operational environments.
The CDPAS is not “one-size-fits-all.” Instead, the guidance should be adopted and tailored to the unique size, resources, and risk circumstances of each Organization Seeking Assessment (OSA) and Third-Party Assessment Organization (3PAO). It can be modified or augmented with OSA-specific requirements, policies, or compliance obligations due to statutory, regulatory and/or contractual requirements.
As part of 3PAAC Services, a 3PAO is expected to: (1) Conduct an assessment of applicable cybersecurity and/or data protection controls within an assessment boundary; (2) Provide an attestation based on the findings in a Report on Conformity (ROC); and (3) Finalize the process by authorizing the issue of a certification, if sufficient conformity is achieved.
Assessment vs. Audit
The CDPAS focuses on third-party assessments, not audits. Per NIST, an assessment is the testing or evaluation of security controls to determine the extent to which controls are implemented correctly and producing the desired outcome. An audit is the independent examination of records to ensure compliance with established controls and procedures.
The intended audience of the CDPAS is the “assessment ecosystem,” including Organizations Seeking Assessment (OSAs), Third-Party Assessment Organizations (3PAOs), individual assessors, and External Service Providers (ESPs).
Organizations undergoing cybersecurity or data protection assessments. OSAs use CDPAS to understand assessment expectations, prepare evidence packages, define assessment boundaries, and maintain conformity through proactive governance and annual affirmation.
Companies that perform assessment, attestation, and certification services. 3PAOs use CDPAS as the authoritative standard for conducting consistent, defensible 3PAAC Services using SCF-defined evidence and maturity criteria.
Assessment Team Leads (ATLs) and Assessment Technical Experts (ATEs) who execute the assessment. CDPAS defines their professional duty of care, independence requirements, subject matter competency, and conflict of interest avoidance obligations.
External consultants who advise organizations on cybersecurity and privacy program readiness. CDPAS provides the methodology they need to prepare clients for formal third-party assessments and conformity certification.
Service providers responsible for inherited controls within an OSA’s assessment boundary. CDPAS addresses control inheritance, reciprocity, First-Party Declarations (1PDs), and Third-Party Attestations (3PAs) for shared responsibility models.
CSPs that host systems within an OSA’s assessment boundary. CDPAS standards for control inheritance and reciprocity ensure CSP-provided controls are properly evaluated and documented in the Report on Conformity (ROC).
The CDPAS defines nine standards covering the full lifecycle of a cybersecurity and data protection assessment, from professional duty of care through maintaining ongoing conformity.
CDPAS introduces the concept of materiality into cybersecurity assessments, borrowed from financial audit standards, ensuring assessments focus on what matters most to the organization's risk posture.
A material control is such a fundamental cybersecurity and/or data protection control that it is not capable of having compensating controls, and its absence or failure exposes an organization to a material impact. CDPAS requires organizations to define materiality thresholds and designate material risks, material threats, and material incidents.
Material Control: A control so fundamental that its absence or failure could have a material impact, not capable of compensating controls.
Material Risk: A scenario where exposure to danger, harm, or loss has a material impact (e.g., significant financial impact, class action lawsuit, death).
Material Threat: A threat vector that causes damage or danger with a material impact (e.g., nation-state operations, poorly governed AI, dysfunctional management).
Material Incident: An occurrence that jeopardizes CIAS (Confidentiality, Integrity, Availability, Safety) with a material impact on the organization.
Material Weakness: A deficiency where reasonable threats will not be prevented or detected in a timely manner, directly affecting assurance.
CDPAS defines three levels of assessment rigor to match the sensitivity and risk profile of the assessment boundary:
CDPAS is the procedural standard that ties the entire SCF assessment ecosystem together. Each SCF tool plays a specific role in the 3PAAC process.
The ERL establishes a finite list of supporting evidence used in an assessment. Prior to the start of the assessment, an ERL is provided by the 3PAO to the OSA with standardized evidence expectations.
Provides the maturity scoring standard used during CDPAS assessments. Organizations define their target maturity level, and controls are assessed against CMM Level 1–5 criteria.
Defines the assessment boundary, including the People, Processes, Technologies, Data and/or Facilities (PPTDF) in scope. The USG output feeds directly into CDPAS Standard 3 (Due Diligence).
Provides the risk context for CDPAS findings. Risk tolerance, risk appetite, and risk thresholds defined through the RMM inform the materiality designations required by CDPAS.
The 1,400+ control catalog provides the assessment objects. CDPAS uses the MCR/DSR classification and Statement of Applicability (SoA) to scope which controls are assessed.
CDPAS is the methodology standard used in the SCF Conformity Assessment Program (SCF-CAP). Organizations pursuing SCF-CAP certification must undergo a CDPAS-governed assessment by an accredited 3PAO.
Each of the nine CDPAS standards contains specific sub-requirements. Below is the complete list of standards and their component requirements.
CDPAS assessments operate within a continuous PDCA improvement cycle, with each assessment cycle informing remediation and the next conformity evaluation.
Define assessment boundary (PPTDF) using USG. Complete due diligence (Standards 3–4): assessment plan, SoA, ERL, stakeholder identification, control inheritance/reciprocity, and materiality thresholds.
Execute due care (Standards 5–6): conduct the assessment using examine, interview, and test methods at the defined rigor level. Assess controls against Assessment Objectives (AOs). Document all findings.
Quality control (Standard 7): perform objective peer review of findings. Issue conformity designation (Standard 8): produce the Report on Conformity (ROC). Process any finding challenges.
Maintain conformity (Standard 9): develop POA&M for findings, monitor changes to the assessment boundary, conduct reassessments for material changes, and complete annual affirmation.
%20(white).png)
.png)