MIL1 requirements
a. Important IT and OT third-party dependencies are identified (that is, internal and external parties on which the delivery of the function depends, including operating partners), at least in an ad hoc manner
b. Third parties that have access to, control of, or custody of any IT, OT, or information assets that are important to the delivery of the function are identified, at least in an ad hoc manner
MIL2 requirements
c. A defined method is followed to identify risks arising from suppliers and other third parties
d. Third parties are prioritized according to established criteria (for example, importance to the delivery of the function, impact of a compromise or disruption, ability to negotiate cybersecurity requirements within contracts)
e. Escalated prioritization is assigned to suppliers and other third parties whose compromise or disruption could cause significant consequences (for example, singlesource suppliers, suppliers with privileged access)
MIL3 requirements
f. Prioritization of suppliers and other third parties is updated periodically and according to defined triggers, such as system changes and external events
The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.
The organization must identify critical IT partners. A critical partner (internal or external) refers to a partner without whom the operation is interrupted.