Supplier Compliance: Key Regulations to Consider for Your SRM Program

Information Security Requirements for Suppliers

Even suppliers outside the IT industry may have access to PII, PHI, intellectual property, or other sensitive information that could pose compliance risks for your organization. Here are a few major information security requirements to consider when working with suppliers:

HIPAA for Suppliers

The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to implement information security controls that secure patients' protected health information (PHI). HIPAA requirements govern several types of organizations, including healthcare providers, health plan providers, and healthcare clearinghouses.

Under the HIPAA Business Associate Rule, third-party vendors and suppliers that store or process PHI also fall under HIPAA oversight. While HIPAA business associates tend to be IT vendors, this isn't always the case. Business associates can also include suppliers such as:

• Consultants that process healthcare claims
• Suppliers that perform utilization and efficiency reviews for a hospital
• Medical transcriptionists

Which suppliers must comply with HIPAA?

HIPAA's Business Associate Rule applies to any third party that stores or processes PHI. According to the Department of Health and Human Services, a business associate is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

CMMC for Suppliers

The Cybersecurity Maturity Model Certification (CMMC) is a framework created by the U.S. Department of Defense (DoD) to improve the security of its supply chain, known as the Defense Industrial Base (DIB).

Under CMMC 2.0, organizations seeking to work with the Department of Defense will be required to meet specific information security standards and be certified against one of three CMMC levels, depending on the type of data they handle and the scope of their access to classified information:

• Level 1: This level is for suppliers managing Federal Contract Information (FCI), which is not critical to national security and requires self-assessments against 17 controls.
• Level 2: Suppliers handling controlled unclassified information (CUI) fall under Level 2 and will require certification against an additional 110 controls from NIST SP 800-171. Though some suppliers can conduct self-assessments at this level, most will require certified third-party audit organizations (C3PAOs) assessments.
• Level 3: This is an expert level for the highest-priority DoD suppliers. In addition to the controls required for Level 2, this level involves a subset of NIST SP 800-172 controls. The federal government will conduct the audits for Level 3 suppliers.

Which suppliers must comply with the CMMC?

The CMMC will apply to all DoD prime contractors, subcontractors, and suppliers in the DoD supply chain. The DoD anticipates that over 300,000 organizations will be impacted by CMMC regulations. Organizations that fail to comply with CMMC can lose the ability to bid on contracts with the U.S. Department of Defense. The final rulemaking on CMMC 2.0 is in progress, with phased implementation set for later this year and into 2025.

NIST for Suppliers

The National Institute of Standards and Technology (NIST) publishes cybersecurity frameworks containing best practices for building effective information security programs. All U.S. federal agencies, contractors, and subcontractors working with federal agencies must comply with NIST security mandates.

NIST documents are not legally binding, but several regulations are based on NIST controls and standards. Many public and private organizations require third-party certifications based on NIST guidance. Several NIST special publications outline controls that require organizations to establish and implement processes to identify, assess, and manage supply chain risk. These include:

• SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
• SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• Cybersecurity Framework v2.0: Framework for Improving Critical Infrastructure Cybersecurity

Which NIST requirements apply to supplier relationships?

NIST requirements related to third-party suppliers include:

• Assess if security controls are implemented correctly, operating as intended, and meeting requirements
• Monitor security controls to determine their effectiveness on an ongoing basis
• Determine cybersecurity requirements for suppliers
• Enact cybersecurity requirements through formal agreements (e.g., contracts)
• Communicate to suppliers how cybersecurity requirements will be verified and validated
• Verify that cybersecurity requirements are met through assessment methodologies

NIST is not a regulatory body, so there are no direct legal penalties for non-compliance unless required by regulations like HIPAA, which uses NIST SP 800-66. However, if your organization works with U.S. government agencies, compliance with NIST standards is necessary. Non-compliance with NIST standards for third-party suppliers can still pose risks and harm customer relationships.

ESG Compliance Requirements for Suppliers

Regulations designed to address environmental, social, and governance (ESG) concerns are increasingly requiring organizations to proactively identify and address ESG issues in their extended supply chains.

Early ESG regulations, such as the UK Modern Slavery Act and the California Transparency in Supply Chains Act (CTSCA), primarily require organizations to report on their efforts to mitigate unethical practices in their supply chains. However, newer and more stringent ESG regulations demand actions such as conducting routine audits of supplier ESG practices, terminating contracts with unethical suppliers, and proactively monitoring supply chains for potential ESG risks.

ESG compliance requirements fall into two main categories:

1. Disclosure Requirements, which dictate that organizations report on efforts to address ESG concerns in their supply chains
2. Due Diligence & Control Requirements, which require organizations to evaluate supplier ESG practices and ensure that suppliers implement ESG-related controls

Existing and upcoming ESG regulations for your supplier risk management program include the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act, the UK Modern Slavery Act, the German Supply Chain Due Diligence Act, and the EU Corporate Sustainability Diligence Directive.

Fighting Against Forced Labour and Child Labour in Supply Chains Act (S-211)

The Fighting Against Forced Labour and Child Labour in Supply Chains Act, also known as S-211, is a law that requires Canadian government institutions and select private sector entities to "report on the measures taken to prevent and reduce the risk that forced labour or child labour is used by them or in their supply chains." The Act also provides for an inspection regime to enforce its provisions. As with the UK Modern Slavery Act, Australia Slavery Act, and similar laws, the Act aims to contribute to the global fight against forced labor, child labor, and other forms of modern slavery.

Who must comply with the Fighting Against Forced Labor Act?

All Canadian government organizations that produce, purchase, or distribute goods in Canada must comply with the Act. In addition, commercial entities must comply if they are either a) listed on a stock exchange in Canada or b) do business in and have assets in Canada that are at least $20 million, generate at least $40 million in revenue, and employ an average of at least 250 employees.

The UK Modern Slavery Act

The Modern Slavery Act of 2015 is a UK law that requires organizations to publicly communicate their practices to ensure that forced labor, human trafficking, and other forms of involuntary servitude are not taking place in their businesses or supply chains.

The "Transparency in Supply Chains" section of the Act (Part 6, Section 54) defines what information organizations must disclose, including:

• organizational structure, including information about its business and its supply chains
• corporate policies that address slavery and human trafficking
• due diligence processes for revealing potential slavery and human trafficking in its business and supply chains
• specific business areas where there is a risk of slavery and human trafficking taking place, and the steps it has taken to assess and manage that risk
• performance in ensuring that slavery and human trafficking do not occur in its business or supply chains
• information about staff training on slavery and human trafficking topics

Who must comply with the UK Modern Slavery Act?

The UK Modern Slavery Act applies to organizations operating in the UK with annual sales of £36 million or more.

The German Supply Chain Due Diligence Act

The German Supply Chain Due Diligence Act mandates organizations to implement human rights due diligence in their supply chains. This law requires businesses to take all necessary steps to prevent human rights risks, report on their efforts, remediate risks, and retain documentation for seven years.

Covered companies must update their processes for supply chain due diligence and align their activities with the Act's provisions, which cover the following areas:

• Environmental damage
• Minimum wages
• Child labor and forced labor
• Unlawful seizure of land and waters
• Torture
• Discrimination
• Freedom of association
• Problematic employment and working conditions
• Occupational health and safety

Who must comply with the German Supply Chain Due Diligence Act?

As of 2023, all companies operating in Germany with at least 3,000 employees are subject to the German Supply Chain Due Diligence Act. In 2024, the law will extend to companies with over 1,000 employees.

The EU Corporate Sustainability Due Diligence Directive

The Corporate Sustainability Due Diligence Directive, or CSDDD, outlines specific obligations for companies to perform due diligence on their operations and supply chains to identify, prevent, mitigate, and account for adverse environmental, labor, and human rights impacts. The European Parliament released the final draft in January 2024. If adopted, the law will go into effect in phases starting in 2027.

If the law is enacted, it will require organizations to:

• Integrate ESG due diligence into corporate policies
• Identify actual or potential adverse human rights and environmental impacts
• Prevent or mitigate potential impacts
• End or minimize actual impacts
• Establish and maintain a complaints procedure
• Monitor the effectiveness of the due diligence policy and measures
• Publicly report on due diligence activities

Who must comply with the Corporate Sustainability Due Diligence Directive?

If adopted, Corporate Sustainability Due Diligence Directive rules will apply to EU companies and parent companies with over 500 employees and a worldwide turnover higher than 150 million euros. The obligations will apply to companies with more than 250 workers and a turnover exceeding 40 million euros if they generate at least 20 million euros in one of the following sectors:

• Manufacturing and wholesale trade of textiles, clothing, and footwear
• Agriculture, including forestry and fisheries
• Food manufacturing and trade of raw agricultural materials
• Extraction and wholesale trade of mineral resources or related product manufacturing
• Construction

Data Privacy Requirements for Suppliers

Data privacy requirements are another central concern for organizations that work with third-party suppliers. Regulations such as GDPR and CCPA limit how personal data can be shared, stored, and processed between companies, and significant fines are imposed for compliance violations.

GDPR for Suppliers

The General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR applies to any organization that collects, stores, processes, or transfers personal data on individuals in Europe, regardless of its location.

Because third parties are often responsible for managing personal data on behalf of their customers, organizations must ensure that their suppliers and vendors have data protection controls and governance in place. This process involves conducting data privacy control assessments, analyzing the results for potential risks, and requiring third parties to remediate risks to avoid regulatory, financial, and reputational exposures.

In fact, the GDPR requires organizations to conduct risk assessments to identify privacy risks—both internally and at third parties that handle, process, or store personal data on behalf of the organization. Recital 76—Risk Assessment states that “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”

Who must comply with the GDPR?

The GDPR applies to any organization that stores or processes data belonging to residents of the European Union.

CCPA for Suppliers

The California Consumer Privacy Act regulates businesses’ collection and sale of consumer data to protect California residents’ sensitive personal information and provide consumers with control over how companies use that information.

The CCPA applies to consumer data collected from any resident of California, whether by a company headquartered there or just doing business there. Organizations need to monitor suppliers with access to data belonging to California residents and implement proactive measures to ensure that data subject to the CCPA is handled properly.

The CCPA was expanded in 2023 with the California Privacy Rights Act (CPRA), adding new compliance obligations that mandate strict third-party agreements to ensure the secure collection, use, and disposal of consumer information.

Who must comply with the CCPA?

The CCPA applies to businesses that collect personal information from California residents, service providers, and third parties to which businesses transfer that information. While the CCPA is a state law, it applies to any for-profit entity – anywhere – that does business with California consumers and:

• Has gross annual revenue over $25 million;
• Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
• Derives 50% or more of their annual revenue from selling California residents’ personal information.

Next Steps: Automate Supplier Compliance Management

Today’s third-party risk environment is complex and constantly evolving. Your supplier risk management program should, therefore, be able to meet regulatory compliance requirements and ensure business resilience throughout your supply chain.

With Prevalent’s supplier risk management solution, you can automate your supplier risk assessment, monitoring, analytics, and reporting activities with a single, unified platform. At the same time, you get built-in coverage for dozens of compliance regulations and best-practice frameworks. See how you can streamline your supplier risk compliance, schedule a demo today.