AccountMade

Traceable-Answer Reference  /  Supply Chain Management, Transparency, and Accountability

STA-08Supply Chain Risk Management

Periodically review risk factors associated with all organizations in the supply chain.

Every framework that asks this

Answer STA-08 once and it typically satisfies the equivalent control elsewhere. Altitude and confidence vary — a domain-level anchor is a starting point to verify, not an audited equivalence.

FrameworkEquivalent control(s)Confidence
SOC 2CC2.1high
ISO 27001A.5.19, A.5.22medium
NIST CSF 2.0GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 (domain-level)high
NIST 800-53SR-2, SR-3, SR-5, SR-6, SR-8, SA-9 (domain-level)high
SIGCloud Services, Nth Party Management, Supply Chain Risk Management (domain-level)medium

Full provenance and NIST 800-53 mappings: the framework crosswalk.

What the reviewer is really checking

The reviewer is establishing whether your vendors extend or dilute the security they're buying from you. Every subprocessor that stores, processes, or can access customer data inherits some of your trust, and the buyer can't assess a party they can't see, so the first thing they test is whether you even maintain an inventory of who those parties are and what data or access each holds. Then they probe the lifecycle around it: how you vet a vendor before onboarding (security review, evidence such as their SOC 2, risk tiering by data sensitivity), how you monitor them over time rather than at signing only, and whether your security and data-protection obligations flow down to critical suppliers by contract (DPA, security addendum, breach-notification pass-through). They also look for transparency mechanics: is the subprocessor list published or available, and do customers get advance notice and a right to object before you add a new one, a standard DPA expectation. Frameworks make this a first-class domain: NIST CSF 2.0 elevated supply chain to a governance function (GV.SC), NIST SP 800-53 has the SR family, SOC 2 CC9.2 tests vendor risk management, and ISO 27001 A.5.19 to A.5.23 cover supplier relationships. The reviewer is checking the buyer's fourth-party exposure is actually governed, not assumed.

What a truthful, defensible answer contains

A defensible answer starts by confirming you maintain a subprocessor and vendor inventory and describes what it records: the vendor, the data or access involved, and a risk tier. It describes the vetting you perform before onboarding: a security review, the evidence you require (for example the vendor's SOC 2 or ISO certificate), and how sensitivity determines the depth of review. It describes ongoing monitoring, meaning periodic reassessment and watching for lapsed certifications or incidents, rather than a one-time check at signing. It states how obligations flow down to critical suppliers: that security requirements, data-protection terms, and breach-notification duties are imposed contractually through a DPA or security addendum. And it addresses transparency: whether the subprocessor list is available to customers and whether they receive advance notice and a right to object before a new subprocessor is added. Where practices differ by vendor tier, a truthful answer says so and states the threshold. It maps to the referenced control (CCM STA, NIST CSF GV.SC, SOC 2 CC9.2, ISO 27001 A.5.19–A.5.23) without overstating. The buyer wants to see a governed program with an inventory at its center, not a claim that all vendors are 'fully vetted.'

Make it traceable

Point each claim at a maintained artifact. 'We keep an inventory' resolves to the subprocessor register or the public subprocessor page, with its URL; 'we vet vendors' resolves to your third-party risk management policy and a sample completed assessment; 'obligations flow down' resolves to the standard DPA or security addendum clause you impose (§X); and 'customers get notice' resolves to the notification and right-to-object term in your DPA. If a SOC 2 report tests vendor management, cite CC9.2 and the report date. The strongest answer links the live subprocessor list rather than describing it, because a published, dated list is self-proving and stays current after the deal. Every assertion should trace to a document under change control, a register you update or a contract template you actually use, so the reviewer sees governance in force rather than a description written for this response.

Answer patterns that hold up

  • Inventory first (confirm it exists and what it records) before any vetting or monitoring claim.
  • Vetting described as review step, then required evidence, then risk-tiering, each concrete.
  • Flow-down stated as which obligations (security, data-protection, breach-notice) are imposed and via which contract instrument (DPA/addendum §X).
  • Transparency stated as list availability, then advance notice, then right to object, mapped to the DPA term.
  • A tier threshold stated where vetting depth or monitoring cadence varies by vendor criticality.

Evidence that backs the answer

Subprocessor register or published subprocessor list (with URL and date)Third-party or vendor-risk management policy defining tiering and cadenceA sample completed vendor security assessmentDPA or security addendum showing flow-down and breach-notification clausesCustomer-notification and right-to-object term for new subprocessorsSOC 2 CC9.2 section or ISO 27001 A.5.19–A.5.23 mapping in the latest report

Red flags reviewers catch

  • No subprocessor inventory, so the buyer can't see who touches their data at all.
  • 'All vendors are vetted' with no tiering, no required evidence, and no monitoring after signing.
  • Vendor review described as one-time at onboarding with no periodic reassessment.
  • No statement that security or breach-notification obligations flow down to suppliers by contract.
  • No customer notice or right to object before new subprocessors are added.

Other Supply Chain Management, Transparency, and Accountability controls

FAQ

What is a buyer really asking with STA-08?

The reviewer is establishing whether your vendors extend or dilute the security they're buying from you. Every subprocessor that stores, processes, or can access customer data inherits some of your trust, and the buyer can't assess a party they can't see, so the first thing they test is whether you even maintain an inventory of who those parties are and what data or access each holds. Then they probe the lifecycle around it: how you vet a vendor before onboarding (security review, evidence such as their SOC 2, risk tiering by data sensitivity), how you monitor them over time rather than at signing only, and whether your security and data-protection obligations flow down to critical suppliers by contract (DPA, security addendum, breach-notification pass-through). They also look for transparency mechanics: is the subprocessor list published or available, and do customers get advance notice and a right to object before you add a new one, a standard DPA expectation. Frameworks make this a first-class domain: NIST CSF 2.0 elevated supply chain to a governance function (GV.SC), NIST SP 800-53 has the SR family, SOC 2 CC9.2 tests vendor risk management, and ISO 27001 A.5.19 to A.5.23 cover supplier relationships. The reviewer is checking the buyer's fourth-party exposure is actually governed, not assumed.

What does a defensible answer to STA-08 need?

A defensible answer starts by confirming you maintain a subprocessor and vendor inventory and describes what it records: the vendor, the data or access involved, and a risk tier. It describes the vetting you perform before onboarding: a security review, the evidence you require (for example the vendor's SOC 2 or ISO certificate), and how sensitivity determines the depth of review. It describes ongoing monitoring, meaning periodic reassessment and watching for lapsed certifications or incidents, rather than a one-time check at signing. It states how obligations flow down to critical suppliers: that security requirements, data-protection terms, and breach-notification duties are imposed contractually through a DPA or security addendum. And it addresses transparency: whether the subprocessor list is available to customers and whether they receive advance notice and a right to object before a new subprocessor is added. Where practices differ by vendor tier, a truthful answer says so and states the threshold. It maps to the referenced control (CCM STA, NIST CSF GV.SC, SOC 2 CC9.2, ISO 27001 A.5.19–A.5.23) without overstating. The buyer wants to see a governed program with an inventory at its center, not a claim that all vendors are 'fully vetted.'

Which other frameworks does STA-08 cover?

Answering STA-08 typically covers SOC 2 (CC2.1); ISO 27001 (A.5.19, A.5.22); NIST CSF 2.0 (GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10); NIST 800-53 (SR-2, SR-3, SR-5, SR-6, SR-8, SA-9); SIG (Cloud Services, Nth Party Management, Supply Chain Risk Management). Confidence and altitude vary per mapping — see the equivalents table.

Answer every buyer from one governed source.