FAIR TPRM — Third Party Risk Assessment

Vendor Profile

Capture basic information about the third party. This establishes organizational context for the risk assessment in alignment with NIST 800-30 asset and threat source identification.

Organization Details

Vendor / Third Party Name *

Engagement Type *

Assessment Date

Assessed By

Business Purpose / Description

Vendor Maturity & Certifications

Select all certifications and compliance frameworks the vendor currently holds. These reduce vulnerability scores in the FAIR model.

SOC 2 Type II

ISO 27001

PCI DSS

HIPAA Attestation

FedRAMP Authorized

NIST CSF Aligned

GDPR DPA Signed

Pen Test (Annual)

Data & Access

Define what data the vendor can access and how they connect to your environment. FAIR Asset Value (AV) and NIST 800-30 asset characterization are built from these inputs.

Data Classification & Volume

Highest Data Classification Accessible * ?

Estimated Records Volume ?

Annual Contract / Engagement Value ($) ?

Regulatory Applicability

Data Types Accessible

Select all data types the vendor can view, process, or store. Each type adds to the loss magnitude calculation.

Personally Identifiable Info (PII)

Protected Health Info (PHI)

Payment Card Data (PCI)

Employee / HR Records

Financial / Accounting Data

Intellectual Property / Trade Secrets

Authentication Credentials

System / Network Config

Access & Connectivity

Access Level Granted * ?

Connection Method ?

Frequency of Data Access

Vendor Sub-processors / 4th Parties ?

Threat Landscape

Assess the threat event frequency (TEF) — the rate at which threat agents act against this vendor. Aligns with NIST 800-30 Threat Source and Threat Event characterization.

Loss Event Frequency (LEF) = Threat Event Frequency (TEF) × Vulnerability (Vuln)

TEF = Contact Frequency × Probability of Action

Threat Source Profile

Select all relevant threat sources per NIST 800-30 Table D-2.

Nation-state / APT actors

Cybercriminal groups (ransomware)

Hacktivist groups

Insider threat (vendor employee)

Accidental / negligent disclosure

Competitor / economic espionage

Supply chain compromise

Physical / environmental threat

Threat Frequency & Capability

Industry Threat Targeting ?

Vendor's Known Incident History

Threat Agent Capability Level ?

Opportunistic (1)Sophisticated (5)Nation-State (10)

Threat Agent Intent / Motivation ?

Minimal (1)Moderate (5)Highly motivated (10)

Control Assessment

Evaluate the vendor's security controls and your own oversight controls. These drive FAIR Vulnerability and align with NIST 800-30 Predisposing Conditions and Control Effectiveness.

Vulnerability = 1 − Control Strength × Control Coverage

Higher control scores → Lower vulnerability → Lower LEF

Vendor Security Controls

Identity & Access Management (IAM) Maturity ?

No controls (1)Basic MFA (5)Zero-trust PAM (10)

Data Protection & Encryption Controls ?

None (1)TLS + AES-256 (5)Full DLP + tokenization (10)

Vulnerability & Patch Management ?

Ad-hoc (1)Monthly patching (5)Automated ASAP (10)

Incident Detection & Response Capability ?

Reactive only (1)Documented IR plan (5)SOC + SOAR (10)

Your Organization's Oversight Controls

Contractual Security Requirements

Monitoring & Oversight Frequency

Business Continuity / Redundancy

Network Segmentation Applied

Loss Magnitude

Quantify the potential financial and operational impact of a loss event. FAIR Loss Magnitude (LM) = Primary Loss + Secondary Loss. NIST 800-30 maps this to Adverse Impact characterization.

Risk = Loss Event Frequency (LEF) × Loss Magnitude (LM)

LM = Primary Loss (direct) + Secondary Loss (indirect: regulatory, reputational)

Primary Loss Factors

Estimated Breach Response Cost ($) ?

Maximum Regulatory Fine Exposure ($) ?

Business Disruption Impact

Estimated Downtime Tolerance

Secondary Loss Factors (NIST 800-30 Table H-3)

Reputational / Brand Damage Potential ?

Minimal (1)Moderate (5)Catastrophic (10)

Litigation / Legal Liability Potential ?

Minimal (1)Moderate (5)Major litigation (10)

Competitive / IP Impact

Mission / Safety Impact (NIST)

ASSESSMENT COMPLETE

Risk Assessment Results

OVERALL RISK SCORE

—

FAIR × NIST 800-30 Composite

LIKELIHOOD × IMPACT MATRIX (NIST 800-30)

LIKELIHOOD →

← IMPACT →

LIKELIHOOD SCORE

—

Threat Event Frequency × Vulnerability

IMPACT SCORE

—

Primary + Secondary Loss Magnitude

FAIR Factor Breakdown

NIST SP 800-30 Risk Detail Table

FAIR / NIST Factor	Input Value	Weighted Score	Interpretation

Risk Treatment Recommendations

Risk Disposition