Methodology

VendorSoluce™ · NIST SP 800-161

VIRA™ Vendor Inherent Risk Assessment

Observable relationship facts only — before questionnaires, certifications, or controls. Outputs a defensible inherent tier (Critical / High / Medium / Low).

NIST SP 800-161 Rev 1

Version 1.0 · 2026

ERMITS LLC

01 — Overview

What VIRA is

VIRA™ (Vendor Inherent Risk Assessment) is the methodology behind VendorSoluce™ inherent scoring. It scores the relationship from observable facts — not vendor marketing — and yields a tier: Critical, High, Medium, or Low. It is not a security audit; it sets how much diligence you owe before and during residual-risk work.

Core principle

Inherent risk is a property of the relationship: what the vendor can touch, how critical they are, and what breaks if they fail — not what they claim about controls.

VIRA answers

How much exposure are we taking on?

Baseline before questionnaires or evidence: worst-case if the vendor had no mitigations.

VIRA does not answer

How well did they mitigate?

That is residual risk (certifications, questionnaires, evidence). VIRA comes first.

02 — Rationale

Why inherent risk must be assessed first

VIRA sets the baseline before vendor engagement. Tier reflects structural facts your org defines — data, criticality, access, regulation — so effort and questionnaires scale to real exposure.

Why assess inherent risk first

Defensible · Proportional · Independent · Consistent

Defensibility — Tiers map to stated inputs (e.g. record volume + production access + DPA).
Proportionality — Light process for Low; full diligence path for Critical.
Independence — SOC 2 / ISO do not raise inherent tier; they inform residual risk later.
Consistency — Same rules across new, legacy, and renewal relationships.

03 — Assessment domains

The five domains of inherent risk

Five domains (0–100 each), weighted and combined per NIST SP 800-161 C-SCRM guidance.

Data sensitivity

Breach impact from data categories, volume, cross-border flow, and processor vs. sub-processor role.

BiometricHealth / PHIChildren's data CredentialsFinancialPII Record volumeCross-border transferProcessing role

30%

Operational criticality

Business impact if the service stops or is compromised; RTO and substitute providers.

Business impact tierRecovery time objective Availability of alternativesUser scope

25%

Access & integration scope

How deeply the vendor is embedded; privileged and production access weigh highest.

Privileged / admin accessProduction system access Network accessPhysical accessIntegration depth

20%

Regulatory surface

Frameworks triggered by the relationship (HIPAA, GDPR, CMMC, FedRAMP, PCI, SOX, export controls, etc.).

HIPAA / BAA requiredGDPR / DPA required MODPACMMCFedRAMP PCI-DSSSOXExport controls

15%

Concentration & 4th-party risk

Sole-source critical functions and sub-processor visibility / jurisdictional concentration.

Sole provider statusSub-processor count Geographic / jurisdictional riskVendor maturity

10%

04 — Scoring

The scoring formula

Domains score 0–100 from discrete inputs; weighted sum yields a raw score; overrides may raise the minimum tier.

// VIRA scoring formula — version 1.0

raw_score= D1×0.30 +D2×0.25 +D3×0.20 +D4×0.15 +D5×0.10

final_score= max(raw_score, override_minimum) // override_minimum = 0 if no overrides apply

inherent_risk_tier = tier lookup on final_score // Critical ≥75 · High 50–74 · Medium 25–49 · Low <25

Capped at 100 per domain. Factors are weighted and summed, then capped. Discrete inputs only — no interpolation — so every point traces to an observed characteristic.

05 — Override conditions

Non-negotiable overrides

Four conditions set a floor tier so a low average cannot hide one catastrophic factor. Evaluated after the weighted score; elevate only if below the minimum.

Condition	Rationale	Minimum tier
Tier 1 sensitive data processing (Health, Biometric, Children's data)	Elevated legal and reputational impact for health, biometric, or children’s data.	High
Privileged or admin system access	Admin or privileged access implies lateral movement if the vendor is compromised.	High
Sole provider of a mission-critical function (no documented alternative)	No practical substitute for a mission-critical sole provider.	High
Regulated processing requiring a BAA (HIPAA Business Associate Agreement)	PHI under HIPAA requires a BAA and baseline diligence regardless of vendor claims.	Medium

06 — Risk tiers

The four risk tiers

Four tiers drive minimum diligence depth before approval.

75–100

Critical

Severe structural exposure: often Tier 1 data + privileged access + mission-critical role.

Enhanced due diligence required

50–74

High

Strong exposure in one or more domains (e.g. production access + material data, or critical sole source).

Standard-plus due diligence

25–49

Medium

Moderate: personal data or integrations without crossing Critical/High thresholds.

Standard due diligence

0–24

Low

Limited: peripheral role, minimal data, no privileged access, light regulatory surface.

Lightweight due diligence

07 — Due diligence

Required due diligence by tier

Minimum diligence is prescribed by tier (not by vendor size or contract value).

Critical

Enhanced

Full questionnaire (150+), evidence review, technical assessment as needed, exec and legal sign-off, mandatory reassessment cadence.

Full questionnaire (150+) Evidence vault review Penetration test results SOC 2 Type II ISO 27001 certificate Legal contract review Executive approval Quarterly monitoring

High

Standard-plus

Questionnaire (80+), key-control evidence, certification checks, required agreements (DPA/BAA), periodic reassessment.

Security questionnaire (80+) SOC 2 Type II or equivalent Evidence review DPA / BAA execution Insurance verification Annual reassessment

Medium

Standard

Standard questionnaire with selective self-attestation, certification and privacy review, annual reassessment.

Security questionnaire Certification attestation Privacy notice review Annual reassessment

Low

Lightweight

Light self-attestation, basic checks, annual or change-triggered review.

Self-attestation form Basic security check Annual review

08 — Process

The VIRA assessment process

Owned by your risk or procurement team, before vendor questionnaires or evidence.

Vendor intake — relationship characterization

Intake across five domains from your org’s facts (scope, data, integration, regulation). Vendor does not participate.

Output: Five domain scores

Weighted score calculation

Apply weighted formula; then apply any tier floors from overrides.

Output: Final inherent risk score (0–100)

Tier assignment and report generation

Map score to tier; issue report (domains, factors, overrides, diligence path) for the vendor file.

Output: VIRA Inherent Risk Report

Due diligence — residual risk assessment

Run tier-calibrated questionnaire, evidence, and agreements → residual risk view.

Output: Residual risk assessment + evidence vault

Onboarding decision and ongoing monitoring

Decide onboarding from inherent + residual; reassess annually or on material change.

Output: Approved vendor record in portfolio

09 — Scope boundary

Inherent vs. residual risk

VIRA stops at inherent tier; residual work follows.

Factor	Inherent risk (VIRA)	Residual risk (post-VIRA)
Who determines it	Your org from observed facts	Questionnaires, certifications, verified evidence
Vendor certifications	Not in scope for inherent score	Core inputs in diligence
Security questionnaire	Not used beforehand	Depth follows tier
When it changes	Relationship change (data, integration, scope)	Control posture change (certs, findings, incidents)
Can vendor improve it?	No	Yes
Audit defensibility	Auditable to discrete inputs	Depends on evidence quality

10 — Framework alignment

Standards alignment

Domains and weighting align to common TPRM references; primary anchors are NIST C-SCRM and CSF.

Standard	Role in VIRA
NIST SP 800-161 Rev 1 (C-SCRM)	Primary — inherent vs residual, criticality, assess before supplier engagement; maps to D2/D5.
NIST CSF 2.0	Primary — Identify / Govern and third-party risk context.
ISO/IEC 27036	Supporting — supplier assessment before engagement; documented criteria.
GDPR Art. 28	Regulatory — processor guarantees and DPA surface in D4.

Try it on this site

Run an inherent risk view

Open the local exposure report (~15 minutes per vendor). For the full map → radar journey, continue from Vendor Review.

Open exposure report Vendor Review →