By Sean Dowling, VP & Head of HITRUST, vCISO and Federal Services at Accorian

The security of your organization is only as strong as the weakest vendor in your supply chain. I've worked with dozens of companies that had solid internal security programs, only to watch their risk posture unravel due to a partner, supplier, or SaaS provider who lacked even basic controls. This isn’t rare. It’s a pattern. And it underscores a critical truth: Third-Party Risk Management (TPRM) is no longer a compliance add-on. It’s a business imperative.

The new reality: Risk is external by default

Organizations are increasingly dependent on external vendors for core operations, such as cloud services, billing platforms, development partners, and more. While this creates efficiencies and innovation, it also significantly broadens the attack surface. Recent breaches across sectors have made one thing clear: adversaries don’t need to breach your perimeter if they can exploit your ecosystem.

What’s more, regulatory expectations are evolving just as rapidly. Frameworks like HITRUST now require demonstrable vendor risk management processes. Beyond compliance, customers, investors, and insurers are also demanding assurance that third-party risk is being proactively managed.

Common gaps we see in TPRM programs

Many organizations struggle to implement a TPRM program that is both scalable and effective. Common issues include

• Over-reliance on static questionnaires that vendors can complete without validation
• Lack of tiering — treating all vendors the same regardless of their access or criticality
• Infrequent reassessment, leading to outdated risk profiles
• No integration between vendor risk and broader enterprise risk management or security operations
• Limited accountability, where no one owns vendor remediation or monitoring

These weaknesses can lead to audit findings, lost certifications, data breaches, or failed compliance programs.

How Accorian helps build and sustain effective TPRM programs

At Accorian, we approach TPRM as both a compliance requirement and a core risk discipline. We help organizations build TPRM programs that are right-sized, standards-aligned, and operationally sustainable. Here’s how we do it.

TPRM program design and framework development

We design and document the entire TPRM lifecycle tailored to your organization’s size, sector, and compliance obligations. This includes policies, procedures, workflows, roles/responsibilities, and escalation paths.

Vendor inventory and risk tiering

We work with you to develop a centralized vendor inventory and apply a tiering model based on each vendor’s access to data, systems, or business processes. This ensures high-risk vendors get the scrutiny they deserve.

Assessment tools and evidence validation

Our team helps you select or build effective assessment methods and assist with control validation, documentation review, and penetration testing. We don’t just rely on checkboxes. We help validate that what vendors say matches what they actually do.

Integration with compliance programs

We align your TPRM program with the HITRUST framework. This helps satisfy overlapping requirements efficiently and ensures your TPRM efforts directly support your audit-readiness.

Automation and technology enablement

If desired, we help select and implement vendor risk platforms or integrate TPRM into existing GRC tools. We ensure the processes are technology-enabled, not technology-driven, so they remain practical and user-friendly.

Ongoing monitoring and vCISO support

Through our vCISO services, we provide ongoing vendor monitoring, reassessment scheduling, contract language reviews, and support for vendor incidents or escalations. We act as an extension of your security leadership team to keep your TPRM program active and accountable.

How HITRUST strengthens TPRM

One of the biggest challenges in third-party risk management is not just trust — but trust backed by validation. This is where HITRUST comes in. The HITRUST framework provides a common, certifiable standard that vendors can use to demonstrate their security and compliance posture. For organizations managing dozens or even hundreds of vendors, HITRUST assessments dramatically reduce the guesswork and overhead of vendor due diligence.

Benefits of leveraging HITRUST for TPRM include

Consistency

Vendors are measured against the same control framework, eliminating the variability of one-off questionnaires.

Assurance through validation

HITRUST certifications are independently validated, giving you higher confidence that controls are in place and operating effectively.

Efficiency

Accepting HITRUST reports in lieu of custom assessments reduces the time and resources required to evaluate vendors.

Alignment with regulations

Because HITRUST maps to HIPAA, NIST, ISO, PCI, and other standards, vendor certifications help meet multiple compliance obligations at once.

Risk reduction

Using HITRUST as a benchmark helps you quickly identify vendors with weak or missing controls, so you can prioritize remediation or make better sourcing decisions.

Tiering

HITRUST offers different assessment options suited for different vendors based on their sizes, risk profiles, and business needs.

In short, HITRUST provides a scalable, standards-based foundation for building trust across your vendor ecosystem. When embedded into your TPRM program, it enables organizations to move beyond box-checking exercises and toward real, evidence-based assurance.

Final thought: TPRM is the new frontline

A strong internal security posture is not enough. Without a mature TPRM program, you are leaving the door wide open to risks that are out of your direct control, but not out of your responsibility.

If your organization is unsure where to begin, has stalled progress, or is facing audit pressure, Accorian can help you build a program that not only satisfies compliance but also protects your business with the HITRUST approach. TPRM is a journey, and we help you navigate it every step of the way.

What is CMMC, and why is it challenging for contractors?

The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) is now a prerequisite for doing business within the Defense Industrial Base. Unlike a simple checklist, CMMC is a maturity model with level-specific expectations tied to federal rulemaking and Defense Federal Acquisition Regulation Supplement (DFARS).

Contractors must implement the right controls at the right level, prove they work, and keep proving it over time. Common hurdles in this process include fragmented frameworks, audit fatigue, and the burden of producing credible, repeatable evidence. The good news is that the HITRUST CSF v11.6 and later includes mappings to CMMC Levels 1–3, enabling organizations to align their cybersecurity programs with federal mandates while leveraging a single integrated framework.

How does HITRUST make CMMC readiness simpler and stronger?

HITRUST translates CMMC requirements into a practical, defensible, and scalable assurance program. With the HITRUST framework mappings to CMMC Levels 1–3 and targeted reporting (including Level 1 Insights), organizations can “build once” and inherit rigor across mandates, reducing rework while improving audit confidence with prime contractors, assessors, and the DoD.

What’s the quick view: CMMC vs. HITRUST support?

 How do we map a practical path to CMMC using HITRUST?

• Confirm your target level. Anchor plans to determine whether you handle FCI (often Level 1) or CUI (typically Level 2; certain scenarios may require Level 3).
• Adopt HITRUST CSF mappings. Align policies and procedures to mapped controls to reduce interpretation risk and ensure complete, level-appropriate coverage.
• Leverage Level 1 Insights (if applicable). Use the CMMC Level 1 Insights Report to structure self-assessments and streamline accurate SPRS submissions.
• Plan validated assurance for higher levels. For Levels 2–3, use HITRUST’s validated assessments and evidence model to prepare for third-party or government-led audits.
• Operationalize continuous readiness. Centralize evidence, manage inheritance, and schedule periodic checks to avoid last-minute remediation cycles.

What benefits can contractors and suppliers expect?

• Efficiency: One integrated framework supports multiple outcomes — CMMC and beyond — reducing duplication and audit fatigue.
• Credibility: Evidence grounded in tested controls resonates with prime governmental contract holders, C3PAOs, and federal stakeholders.
• Scalability: Right-sized for SMBs yet robust enough for large integrators; inheritance and centralization keep costs predictable.
• Resilience: Continuous-readiness practices help you maintain compliance as contracts, environments, and threats evolve.

Why is now the right time to act?

With CMMC requirements maturing across solicitations and flow-down clauses reaching subcontractors, delays increase the risk to pipeline and partner trust. Adopting HITRUST now accelerates certification readiness and sets a durable foundation for ongoing assurance, so you’re prepared not only to earn certification, but to keep it.

How do we get started fast?

• Identify your CMMC level based on data sensitivity and planned opportunities.
• Activate HITRUST mappings to translate CMMC into implementable, testable controls.
• Use Level 1 Insights for efficient, defensible self-assessments and clean SPRS submissions.
• Schedule a validated assessment pathway for Levels 2–3 and establish a cadence for continuous evidence maintenance.

Key Takeaways

• The New York Department of Financial Services (NYDFS) explicitly referenced HITRUST in its October 2025 Industry Letter on Managing Risks Related to Third-Party Service Providers, a signal of regulatory preference for HITRUST in financial services.
• While HITRUST has long been the gold standard in healthcare, this recognition underscores its growing influence as the trusted framework for managing supply chain and vendor risk across industries.
• For Covered Entities under 23 NYCRR Part 500, HITRUST offers a clear, regulator-recognized way to evaluate and demonstrate vendor cybersecurity assurance.
• Companies that value security demand HITRUST.

Guidance from NYDFS

The New York State Department of Financial Services (NYDFS) recently released new guidance. This letter clarifies how regulated financial institutions should assess and manage the cybersecurity risks that they’re exposed to through vendors and service providers. NYDFS directs Covered Entities under 23 NYCRR Part 500 to evaluate vendors’ cybersecurity controls and notes that organizations should consider whether a third-party service provider:

“Undergoes external audits or independent assessments (e.g., ISO/IEC 27000 series, HITRUST) or can otherwise demonstrate, in writing, compliance with Part 500.”
— NYDFS Industry Letter, Oct 21 2025

For over a decade, HITRUST has defined the benchmark for information security assurance in healthcare. The HITRUST CSF set the standard for a comprehensive and certifiable framework. NYDFS’s recognition builds on a growing pattern across U.S. regulators and critical infrastructure sectors: the shift from informal vendor surveys to formal, certifiable assurance mechanisms. HITRUST is leading that evolution.

Strengthening the financial services supply chain

The message from DFS is clear: the security of your institution is only as strong as the security of your vendors. HITRUST enables organizations to

• Demand consistent, measurable assurances from their service providers.
• Reduce audit fatigue and duplicative assessments through standardized, reusable certifications.
• Demonstrate a mature, risk-based vendor management program to regulators and boards.

Financial institutions are adopting HITRUST not because they have to, but because it’s the most efficient, defensible, and regulator-respected way to prove cybersecurity due diligence in complex vendor ecosystems.

The guidance emphasizes that regulated organizations remain accountable for the cybersecurity risks introduced by their third-party providers.

The bottom line? You can outsource operations, but you can’t outsource accountability.

Why organizations should demand HITRUST to meet NYDFS expectations

We believe the most effective way to meet the NYDFS expectations is to require validated, independently verified assurance from vendors. That’s where HITRUST delivers unmatched value. HITRUST-certified environments experience a 0.59% breach rate, proving measurable security and assurance.

HITRUST enables organizations to confirm that their vendors have implemented the appropriate controls to protect data and manage risk. Rather than conducting endless proprietary questionnaires or relying on self-attested reports, organizations can leverage HITRUST as proof that the third-party service provider has implemented security controls. NYDFS is clear that HITRUST is a strong way to get that assurance.

How leading organizations turn regulation into resilience

What regulators are now calling for — verified third-party assurance, ongoing oversight, and documented accountability — has been the foundation of the HITRUST model for years.

That’s why leading organizations across healthcare, finance, and technology rely on HITRUST not only to manage vendor risk but also to enforce trust and confidence while doing business. Learn more.