Recommended Requirements for Cybersecurity Vendors

August 13, 2025

How can we be more pro-active in managing the risk of our suppliers? In a previous blog post, I had written about Vendor Tiering (see https://www.nigp.org/blog/vendor-tiering ) and how this risk model offers an additional layer of granularity, allowing for more tailored risk management practices based on vendor criticality and risk profile.

If your agency is concerned about the cybersecurity posture of its suppliers, it can strengthen vendor accountability and risk mitigation by requiring a combination of industry-recognized certifications, security assessments, contractual clauses, and attestations. Below is a list of requirements that you may wish to consider:

Certifications & Audits

1. SOC 2 Type II Report (System and Organization Controls)

Evaluates controls over data security, availability, processing integrity, confidentiality, and privacy.
Type II specifically reviews the operating effectiveness of those controls over a period of time (typically 6-12 months).

2. ISO/IEC 27001 Certification

International standard for information security management systems (ISMS).
Demonstrates a systematic approach to managing sensitive information and ensuring data security.

ISO 27001 Information Systems.

3. FedRAMP Authorization (for cloud-based services)

Required for vendors working with federal government, but useful as a benchmark for cloud security.
Indicates that the vendor meets NIST 800-53 security controls.

https://www.fedramp.gov

4. Cybersecurity Maturity Model Certification (CMMC)

Developed by the U.S. Department of Defense.
Indicates the level of cybersecurity hygiene (from Level 1–Basic to Level 5–Advanced/Progressive).
Can be useful for vendors who handle controlled unclassified information (CUI).

cybersecurity-maturity-model-certification.

5. State or Local Government Security Standards

Some states (e.g., Texas, California) have their own cybersecurity assessment frameworks.
Vendors may need to comply with those if the city is in that jurisdiction.

Policy & Documentation Requirements

1. Written Information Security Policy (WISP)

Require vendors to submit and annually update a WISP detailing their approach to data protection, access control, and incident response.

2. Incident Response Plan (IRP)

Vendors must maintain a current, tested IRP and agree to notify the city/county within a specified time (e.g., 24–72 hours) of any suspected or actual breach.

3. Annual Risk Assessments

Require documentation showing the supplier performs annual third-party or internal cybersecurity risk assessments.

Cybersecurity Insurance Requirements

Mandate cyber liability insurance with specified limits (e.g., $1M–$5M) covering data breaches, forensic investigation, business interruption, and notification costs.

Contractual Clauses & Requirements

1. Right to Audit

Include a clause granting the city the right to audit or request third-party audits of the supplier’s security practices.

2. Data Breach Notification Clause

Require notification within a certain number of hours/days and specify the type of information to be provided (impact, data exposed, mitigation steps).

3. Data Handling Requirements

Enforce data minimization, encryption at rest and in transit, and proper destruction policies for sensitive or personally identifiable information.

4. Flow-Down Requirements

Require subcontractors or third-party service providers used by the vendor to meet the same cybersecurity standards.

Supplemental Tools or Proofs

1. Penetration Test Results (Redacted or Summary Reports)

Evidence of annual external pen testing with vulnerabilities remediated.

2. Vulnerability Scans

Recent results from automated scans of infrastructure with a summary of resolved issues.

3. Employee Security Awareness Training

Require vendors to certify that all staff complete annual security awareness training (e.g., phishing, password hygiene, social engineering).

Agency Discretion

Kirk Buffington

Read Here

Upcoming Webinars

Webinar Recordings

NIGP Leadership Summit

NIGP Forum

NIGP VCON

Headliner: Tariffs and the New World Order

Register Early and Save

Strategy

Policy and Legislation

Planning and Analysis

Sourcing and Solicitation

Contract Administration

Leadership

Business Principles

Essential Skills

Learning Labs

Headliners

New - Request for Proposals

Developing and Managing a Sustainability Program

Job Order Contracting (JOC)

Using Federal Grant Funds

Construction Procurement

Technology Procurement

Cloud Procurement

Foundational (0 - 5 Years)

Mid-Career Professional (6+ Years)

Legacy and Transition

Introduction to Public Procurement

NIGP Leadership Roadmap

Core Certificate: Foundations of Leadership

Edge

Impact

Mastermind

NIGP Career Development Guide

Mentorship

Concierge Program

Learning by Design Blog

Certification Prep

Agency Training

Pathways Program

Select the Right Credential

Our Promise

Instructor Directory

Special Offer for Members

Search for a Course

Upcoming Course Calendar

On Demand Courses

Why Attain the NIGP-CPP

Current NIGP-CPPs

Hear from your peers

Get Started

Map your Timeline

How to Apply

NIGP-CPP Requirements Manual

Attend a NIGP-CPP Webinar

NIGP-CPP Prep Tools

Understand the Exam

Exam Prep Timeline

Register for the November Testing Window

Register for Testing

Exam Pass/Fail Stats

How to Recertify

NIGP-CPP Retired Status

Authorized Education Providers

Access your Record

About CARE

Who we are

Call for Academic Research

Impact of Public Procurement

Cooperative Purchasing Programs

Search Contracts

State & Provinces Procurement Websites

Other Associations

Higher Education Programs

Values & Guiding Principles

Document Library

Dictionary of Terms

NSite Communities Online

Special Interest Groups - NSite+

NIGP Bookstore