Vendor Risk Lifecycle and Agreements
Key Takeaways
- Third-party risk management runs through selection, due diligence, contracting, onboarding, monitoring, renewal, and offboarding — most failures happen after signing.
- A Service-Level Agreement (SLA) fixes measurable targets (uptime, response time, recovery); a Master Service Agreement (MSA) sets the umbrella legal terms.
- A Statement of Work (SOW) scopes a specific project; a Work Order (WO) is issued under an MSA for a discrete task.
- A Non-Disclosure Agreement (NDA) protects confidential information; a Business Partner Agreement (BPA) covers shared obligations for protected/regulated data.
- A Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA) record intent or responsibilities and often carry less enforceability than a contract.
Why Domain 5 Cares About Vendors
On CompTIA Security+ SY0-701 (90 questions, 90 minutes, pass at 750 on a 100–900 scale), third-party risk lives in Domain 5, Security Program Management and Oversight — the heaviest domain at 20% of the exam. Objective 5.3 names supply-chain and vendor concepts directly, so expect several scenario items that hand you a vendor problem and ask which agreement, lifecycle phase, or control answers it.
A third party is any external entity (cloud host, payroll processor, payment gateway, MSP, law firm) that touches your systems or data. A fourth party is your vendor's subcontractor (a subprocessor). Third-party risk management (TPRM) decides who may handle data, what controls they owe, how performance is measured, and how the relationship ends. The exam frames this as extending your attack surface: every integration, API token, and VPN tunnel a vendor holds is a path into you.
Two related supply-chain ideas show up in the same objective. Supply-chain risk covers hardware, software, and managed-service providers — think of a tampered firmware image or a compromised software update poisoning every downstream customer. Concentration risk appears when many of your critical services depend on one provider or one region, so a single outage cascades. CompTIA wants you to reason about inherent risk before compensating controls and about residual risk after them, and to remember that accountability for the data never transfers to the vendor even when the work does.
The Vendor Risk Lifecycle
| Phase | Security focus | Evidence example |
|---|---|---|
| Selection | Identify business need, data type, inherent risk | Intake form, data classification |
| Due diligence | Validate controls before approval | Questionnaire, SOC 2 Type II, pen-test summary |
| Contracting | Turn obligations into enforceable terms | Signed MSA, SLA, SOW, NDA, BPA |
| Onboarding | Provision least-privilege access securely | Approved integration ticket, scoped access list |
| Monitoring | Watch performance and risk drift | Quarterly SLA report, refreshed risk rating |
| Renewal | Reassess fit before re-signing | Renewal risk review, control attestations |
| Offboarding | Revoke access, confirm data return/destruction | Termination checklist, certificate of destruction |
The lifecycle matters because the threat is dynamic. A vendor acceptable two years ago may add a subprocessor, move data to a new region, suffer a breach, or quietly stop meeting uptime. Continuous monitoring — not the signing ceremony — is where Security+ expects mature programs to catch trouble.
Notice how the evidence column maps to a verifiable artifact at each phase. That is deliberate: on the exam, the better answer is almost always the one backed by an objective artifact (a signed clause, a destruction certificate, a scoped access list) rather than a verbal assurance. Offboarding is the most-missed phase in real breaches — dormant vendor accounts and un-revoked API keys are a recurring root cause — so treat the termination checklist and proof of data return or destruction as non-negotiable deliverables, not paperwork.
Agreement Types You Must Recognize
| Agreement | Primary purpose | Tell-tale scenario phrase |
|---|---|---|
| SLA | Measurable service levels | "99.9% uptime, 1-hour Sev-1 response, 4-hour RTO" |
| MSA | Master legal/business umbrella | "liability, payment, IP, disputes for the whole relationship" |
| SOW | Specific project scope | "migrate 40 apps by a date with acceptance criteria" |
| WO | Task issued under an MSA | "add one server build under the existing master contract" |
| NDA | Protect confidential information | "vendor reviews network diagrams during a proposal" |
| BPA | Obligations for protected/regulated data | "billing partner handles patient records" |
| MOU | Records shared understanding (intent) | "agencies agree to coordinate incident response" |
| MOA | Documents agreed responsibilities/actions | "university and lab define roles for secure data exchange" |
Decision rules the exam rewards
- Uptime, response time, or restoration target → SLA.
- Broad, long-term legal terms → MSA.
- Concrete deliverables and dates → SOW (a WO if it rides under an existing MSA).
- Secrets shared during evaluation → NDA.
- A partner processes regulated data → BPA.
- Non-binding intent between organizations → MOU/MOA.
Worked Scenario
A school district selects a hosted identity platform. At selection, it classifies student records as sensitive and rates the vendor high risk because the platform will authenticate every student and staff account. Before signing, due diligence pulls the security questionnaire, a recent SOC 2 Type II report, a data-flow diagram, the breach-notification process, and the subprocessor list.
At contracting, the MSA carries data-protection duties, audit rights, a 72-hour breach-notification clause, and termination language; the SOW scopes the migration; the SLA sets availability and support targets; an NDA covers architecture discussions. At onboarding, access is limited to named administrators and the vendor streams logs to the district SIEM (Security Information and Event Management). At offboarding, the district disables federation, exports required records, obtains a certificate of destruction, and revokes API tokens and VPN access.
Common Traps
- Treating a sales security statement as a contractual obligation — only signed terms bind.
- Buying an SLA for uptime but omitting incident-notification and data-return clauses.
- Onboarding before due diligence finishes.
- Granting vendor access through shared accounts instead of named, least-privilege identities.
- Ignoring fourth-party subprocessors and concentration risk.
- Ending a contract without revoking accounts, API keys, and VPN access or recovering stored data.
A final distinction the exam likes: an SLA is operational and measurable, while an MSA is legal and durable. When a question describes a percentage, a time window, or a penalty for missed performance, the answer is the SLA even if a master contract is mentioned in the same sentence. When the question is about who bears liability, owns intellectual property, or how disputes are resolved across the whole relationship, that is the MSA. SOWs and work orders both define deliverables, but the work order is the lighter instrument issued under an existing master so a new project does not require renegotiating the umbrella terms.
A managed payroll vendor must respond to severity 1 cases within one hour and meet a defined monthly uptime target. Which agreement most directly captures those measurable expectations?
An integrator will perform a six-week migration with defined deliverables, acceptance criteria, and dates, and the work is added under an existing master contract for a single task. Which document best describes the discrete task issued under that master?