Third-Party Cybersecurity Assessment Standards

Third-Party Cybersecurity Assessment Standards

ComplianceForge Support ComplianceForge Support
1 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more

The release of the Cybersecurity & Data Protection Assessment Standards (CDPAS) is important to the cybersecurity industry.

Comprehensive diagram depicting the CDPAS standards for third-party cybersecurity assessments, illustrating how Compliance

The CDPAS is a cohesive, consistent set of standards to govern cybersecurity and data protection related Third Party Assessment, Attestation and Certification Services (3PAAC Services). The CDPAS provides performance standards to normalize 3PAAC Services. By following the CDPAS methodology, cybersecurity and data privacy practitioners can improve the currently disjointed approach used to perform assessments of cybersecurity and/or data protection controls.

The CDPAS empowers organizations to develop cybersecurity and data protection assessment strategies tailored to their specific mission and business needs, threats and operational environments. The CDPAS is not “one-size-fits-all.” Instead, the guidance throughout this document should be adopted and tailored to the unique size, resources and risk circumstances of each organization. It can be modified, or augmented, with specific requirements.

You can download the CDPAS from: https://securecontrolsframework.com/content/cdpas.pdf

« Back to Blog

NIST SP 800‑53 R5 Control Families

This release includes a total of 1,189 controls, organized into 20 families:

  1. Access Control
  2. Awareness & Training
  3. Audit & Accountability
  4. Assessment, Authorization & Monitoring
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical & Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Personally Identifiable Information (PII) Processing & Transparency
  16. Risk Assessment
  17. System & Services Acquisition
  18. System & Communications Protection
  19. System & Information Integrity
  20. Supply Chain Risk Management

This count includes deprecated controls that have been removed or folded into others. Some controls are not categorized under baselines—low, moderate, high, or privacy—per NIST SP 800‑53B.

ComplianceForge provides full 1:1 mapping of all 20 families and their controls in its CDPP documentation.