5.3 Domain 5 · Security Program Management

Third-Party Risk Assessment & Management

Vendors are extensions of your attack surface. Learn how to assess them (right-to-audit, SOC 2, questionnaires), pick the right paper (SLA vs MOU vs MOA vs MSA vs SOW vs NDA vs BPA), and monitor them after the ink dries.

✓

Concept

Textbook

Reference

Real Scenario

Hard Choice

Common Traps

Exam Signal

The Concept

Modern companies run on vendors. Your payroll, your CRM, your email, your code repository, your build pipeline, your customer notification service — almost none of it lives entirely inside your perimeter. Every vendor inherits some portion of your trust, and a breach at any one of them can become a breach at you. Third-party risk management is the discipline of assessing that inherited risk before you sign, and watching it after you sign.

The Security+ exam tests three things in 5.3: (1) the assessment toolkit (right-to-audit clauses, SOC 2 reports, independent assessments, questionnaires like CAIQ and SIG, supply-chain analysis); (2) the agreement vocabulary — SLA, MOU, MOA, MSA, SOW, NDA, BPA — and which one fits which scenario; and (3) ongoing monitoring (security ratings, bridge letters, reassessment on material change). The trap-rich pairs are MOU vs MOA and SLA vs OLA.

Vendor assessment. Before you sign, you need evidence that the vendor’s security is real. The toolkit:

Penetration testing — commission a test of the vendor’s posture under contracted rules of engagement (rare; usually you accept their reports).
Right-to-audit clause — contractual right to audit the vendor’s controls yourself or via a third party. Often present but rarely exercised; just having it changes vendor behavior.
Evidence of internal audits — the vendor’s own audit reports (often summary form).
Independent assessments — the gold standard. SOC 2 Type II (operational effectiveness over a period), ISO 27001 certification, HITRUST for healthcare. SOC 2 reports are not public; you receive them under NDA.
Supply-chain analysis — the vendor has vendors too (your fourth parties). A breach at the vendor’s payroll provider can pivot back to you.

Vendor selection. Once assessment is in hand, selection adds due diligence (financial health, security posture, references, reputation) and conflict-of-interest management (disclose and manage; do not award contracts to board-member-affiliated vendors without scrutiny).

Agreement types. The exam tests recognition of these abbreviations and what each is for:

SLA (Service-Level Agreement) — performance guarantees (uptime %, response times) plus remedies for breach (credits, penalties).
MOU (Memorandum of Understanding) — statement of mutual intent. Generally not legally binding. The softer of the two.
MOA (Memorandum of Agreement) — formal agreement; more binding than MOU. Used when parties intend obligation.
MSA (Master Service Agreement) — umbrella contract setting overall terms; individual SOWs sit underneath it.
SOW (Statement of Work) / WO (Work Order) — specific deliverables, timeline, and cost — the actual project under the MSA.
NDA (Non-Disclosure Agreement) — confidentiality commitments; one-way or mutual.
BPA (Business Partners Agreement) — defines the terms of a partnership (revenue share, responsibilities, termination).

Internal vs. external agreement vocabulary. SLA is between customer and vendor. OLA (Operational-Level Agreement) is internal between teams (helpdesk and infra, for instance). ULA (Underpinning / Upstream Layer Agreement) is vendor-to-vendor, deeper in the stack. The exam loves swapping SLA and OLA.

Vendor monitoring. Assessment is not one-and-done. Ongoing monitoring includes security-ratings services (SecurityScorecard, BitSight) that scan public posture and grade it; SOC 2 bridge letters from the vendor’s auditor covering the gap between report periods; and reassessment on material change (vendor acquisition, breach disclosure, scope expansion).

Questionnaires. Standardized vendor interrogations: CAIQ (Cloud Security Alliance — cloud-focused), SIG (Shared Assessments — broader), and custom questionnaires. Vendors that have completed CAIQ or SIG can hand it to you, saving weeks.

Rules of engagement. When you do commission assessments (pen tests, vulnerability scans, on-site audits), the rules of engagement document defines scope, boundaries, and legal protections — what’s in scope, what’s off-limits, who is notified when, and the legal authorization that keeps the assessor out of jail.

Agreement	Purpose	Binding?	Exam cue
SLA	Performance guarantees + remedies (uptime, response times)	Yes	“99.9% uptime,” “credits if missed”
MOU	Mutual intent — soft commitment	Generally no	“intend to,” “non-binding,” “understanding”
MOA	Formal agreement — firmer than MOU	Yes	“agree to,” “obligated”
MSA	Umbrella terms for an ongoing relationship	Yes	“governs all future work”
SOW / WO	Specific deliverables, timeline, cost (under MSA)	Yes	“this specific project,” “deliverables”
NDA	Confidentiality commitment	Yes	“will not disclose,” “proprietary information”
BPA	Defines partnership terms (revenue, responsibilities)	Yes	“partnership,” “joint venture”

Assessment artifact	What it proves	Where it comes from
SOC 2 Type II	Controls operate effectively over time (typically 6–12 months)	CPA firm; received under NDA
SOC 2 Type I	Controls are designed appropriately at a point in time	CPA firm; weaker than Type II
ISO 27001 cert	ISMS conforms to ISO standard	Accredited certification body
HITRUST	Healthcare-focused control framework certification	HITRUST assessor
CAIQ	Cloud security questionnaire responses	Vendor self-completion (CSA)
SIG	Shared Assessments questionnaire responses	Vendor self-completion
Bridge letter	Auditor’s confirmation of unchanged controls between SOC 2 reports	Vendor’s CPA firm

Internal vs External	Between	Used for
SLA	Customer ↔ Vendor	External performance commitments
OLA	Team ↔ Team (internal)	How internal teams support each other to meet the SLA
ULA	Vendor ↔ Vendor	Underpinning supply-chain commitments

Key Takeaway

Two reflexes for 5.3: (1) MOU = soft, MOA = firm, SLA = performance, NDA = confidentiality, MSA = umbrella, SOW = the specific work. (2) SOC 2 reports are NOT public — you obtain them under NDA. SecurityScorecard and similar are public-data signals, not substitutes.

Sales is pushing to onboard a new analytics vendor in two weeks to meet a customer commitment. The vendor processes customer behavioral data including email addresses. Procurement sends you the vendor’s “security overview” PDF (5 pages, mostly marketing). The vendor does not have SOC 2 and says certification is “in progress.” The customer commitment date is firm.

VP Sales“The customer signed a $400K deal contingent on this analytics integration. We launch in 14 days. Just rubber-stamp it.”

Security“A marketing PDF is not an assessment. With no SOC 2, I need at minimum: a completed SIG-Lite questionnaire, an NDA in place so they can share their internal pen-test results, an SLA with breach-notification timelines, and a right-to-audit clause in the MSA. Then I can risk-rank them.”

VP Sales“That’s a month of paperwork for a one-week project.”

Security“It’s a week of paperwork for a multi-year processing relationship. If they breach in month four, we pay the regulatory fines, not them. The contract is what determines whether they have to pay. We can run a conditional onboarding: limited data scope (no PII at first), 90-day reassessment trigger, and a contractual commitment to deliver SOC 2 within 9 months. That gets you to launch in 14 days and protects us.”

Compensating Action

Time-pressure does not eliminate the need for paper. Use a conditional onboarding: limited scope, contractual commitment to deliver missing artifacts on a deadline, and a documented risk acceptance signed by the executive who wants the vendor live. The MSA still gets the right-to-audit, NDA, and SLA — you just narrow the initial data scope while the rest of the assessment completes.

Real Talk — Career Context

Vendor risk is where security earns or loses credibility with the business. Saying “no” without offering a path to yes is how you get bypassed. Senior practitioners know the menu of conditional onboarding patterns: scope-limit, time-bound exception, third-party attestation requirement, contractual commitment to future evidence. The exam will not test conditional onboarding directly — but it tests the building blocks (NDA, SLA, right-to-audit, SOC 2).

On the exam: “vendor processes customer data on our behalf” implies processor language and likely a BAA in healthcare (HIPAA). “Vendor will not disclose our roadmap” → NDA. “Vendor must restore service in 4 hours” → SLA. “We can audit them” → right-to-audit clause.

Your firm and a state university plan a joint research program. They will provide graduate students; you will provide compute, datasets, and a cash stipend. The two parties want to commit to specific obligations — deliverables, milestones, financial contributions, and IP ownership of joint work — with legal enforceability if either party walks. Which agreement is the correct fit?

Option A

Memorandum of Understanding (MOU)

Capture the parties’ mutual understanding of intent and direction. Quick to draft, low legal overhead, signals partnership.

Option B

Memorandum of Agreement (MOA)

Capture binding obligations of each party — deliverables, milestones, payment, IP ownership — with enforceability.

Option B is correct — MOA

Option B: The scenario explicitly requires specific obligations with legal enforceability. That is the dividing line: MOA is the formal, more-binding instrument; MOU is a softer statement of intent. When real money, deliverables, and IP rights are on the table, MOA (or a contract built on its language) is the right vehicle.

Option A’s trap: MOU sounds collaborative and is faster, which is appealing for a research program — but it is “generally not legally binding.” If the university stops providing students or if your firm withholds the stipend, an MOU offers little remedy. The exam reliably rewards “MOA = firmer” over “MOU = softer.”

On the exam: “we intend to” → MOU. “We agree to” with money/deliverables → MOA. Note: in the federal context, an MOA may also be called an Interagency Agreement; both share the binding-obligation character.

⚠MOU and MOA confused

MOU = mutual understanding, generally non-binding statement of intent. MOA = formal agreement, more binding. The exam reliably gives a scenario with binding obligations and offers MOU as the trap.

Why it is tempting: both start with “Memorandum of M-O-_”. Memorize the U vs A: “U” for Understanding (soft), “A” for Agreement (binding).

⚠SOC 2 reports treated as public

SOC 2 (Type I and Type II) reports are not public documents. They are obtained from the vendor under NDA. Public-facing pages may show “SOC 2 compliant” badges, but the report itself is not on the website.

Why it is tempting: vendors advertise SOC 2 status loudly. Advertising is not the report.

⚠SLA confused with OLA

SLA is between you and a vendor (external). OLA is between internal teams. ULA is vendor-to-vendor (upstream). Questions often describe an internal helpdesk-to-infra commitment and ask which agreement applies — OLA, not SLA.

Why it is tempting: “agreement about service levels” sounds like SLA regardless of context. Read for “internal” vs “external.”

⚠MSA confused with SOW

MSA is the umbrella that governs the relationship long-term. SOW sits under it and describes a specific project. The exam asks “what governs all future work” (MSA) versus “what defines the deliverables for this project” (SOW).

Why it is tempting: both feel like “the contract.” MSA is the framework; SOW is the actual job.

⚠SOC 2 Type I treated as Type II

Type I is design appropriateness at a point in time. Type II is operating effectiveness over a period (typically 6–12 months). Customer requests almost always want Type II; Type I is weaker evidence.

Why it is tempting: “we have a SOC 2” sounds equivalent. Type II is the one that proves controls actually work.

⚠One-time assessment treated as ongoing monitoring

Onboarding assessment is not ongoing monitoring. Ongoing monitoring includes security-ratings services, bridge letters between SOC 2 cycles, and reassessment when material change occurs (vendor breach, acquisition, scope expansion).

Why it is tempting: “we assessed them” feels like a finished checkbox. Vendor risk is continuous.

Exam Signal

5.3 questions test three reflexes: (1) match scenario to agreement (uptime → SLA, confidentiality → NDA, mutual intent → MOU, binding obligation → MOA, umbrella → MSA, specific project → SOW, partnership → BPA); (2) internal vs external (OLA = internal, SLA = external); (3) SOC 2 = under NDA, never public. Read the question carefully for “binding” vs “intent” and “internal” vs “external.”

Quick Check — 5.3 Q1

A SaaS vendor will not disclose its detailed architecture or upcoming features to your engineering team without a confidentiality agreement in place. Which document does your team sign?

A SLA
B MOU
C NDA
D BPA

Correct: C. An NDA (Non-Disclosure Agreement) is the confidentiality commitment that allows the vendor to share proprietary information with your team.

A wrong: SLAs guarantee performance, not confidentiality.

B wrong: MOUs capture mutual intent, not specifically confidentiality.

D wrong: BPAs define partnership terms (revenue share, responsibilities).

Source: CompTIA SY0-701 Objectives v5.0 — 5.3 Third-party risk assessment and management

Quick Check — 5.3 Q2

A prospective enterprise customer asks your sales team for proof that your security controls operate effectively over time. Which artifact BEST satisfies that request, and how is it shared?

A A SOC 2 Type I report posted on the public marketing site
B A SOC 2 Type II report shared under NDA
C A SecurityScorecard letter grade screenshot
D An MOU signed by the CISO

Correct: B. SOC 2 Type II tests operating effectiveness over a period (typically 6–12 months). The report is shared under NDA, never publicly posted.

A wrong: Two errors: Type I tests design at a point in time (not effectiveness over time), and SOC 2 reports are never public.

C wrong: Security ratings are public-data signals, not assurance reports.

D wrong: An MOU does not attest to control operation.

Source: CompTIA SY0-701 Objectives v5.0 — 5.3

Quick Check — 5.3 Q3

Your IT helpdesk and infrastructure teams need a documented commitment that the infra team will respond to ticket escalations within 30 minutes during business hours. The two teams are both inside your company. Which agreement type fits?

A SLA
B OLA
C ULA
D BPA

Correct: B. OLA (Operational-Level Agreement) is the internal commitment between teams that supports a customer-facing SLA. Helpdesk-to-infra is internal, so OLA.

A wrong: SLAs are between organizations (customer and vendor), not between internal teams.

C wrong: ULA is vendor-to-vendor in the supply chain, not internal.

D wrong: BPAs define commercial partnership terms.

Source: CompTIA SY0-701 Objectives v5.0 — 5.3

Gallery

Contacts