Third Party Management Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Third Party Management Policy
Framework Reference: Secure Controls Framework – Third Party Management (TPM)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) participates in and supports the enterprise-wide Third Party Management program managed centrally by Summit Technology Holdings, LLC (STH). Third party vendor management is centralized at the STH level; FRHC’s role is to collaborate with STH processes rather than manage vendors independently. This standard documents FRHC’s obligations and compliance approach.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC employees, managers, and any staff involved in identifying, requesting, or working with third-party vendors, contractors, or business associates. It covers vendors that are critical to FRHC operations, that access FRHC sensitive data (including ePHI), or that have access to FRHC systems or networks.
3. Standard
Section titled “3. Standard”3.1 Vendor Inventory & Classification
Section titled “3.1 Vendor Inventory & Classification”STH maintains a centralized inventory of all third parties engaged across the enterprise, including those supporting FRHC. FRHC is responsible for notifying STH of all new vendor needs and changes to existing vendor relationships so that vendors can be inventoried and classified appropriately. FRHC does not maintain an independent vendor inventory outside of STH’s centralized system.
- Parent Policy Mapping: STH Third Party Management Policy, Section 3.1
- SCF Mapping: TPM-01 (Third-Party Management)
3.2 Risk Assessment of Vendors
Section titled “3.2 Risk Assessment of Vendors”Vendor security and risk assessments are conducted by STH prior to contract execution and periodically thereafter based on vendor classification. FRHC cooperates with STH’s due diligence process by providing context, requirements, and information about the vendor relationship. FRHC does not conduct independent vendor risk assessments. Where FRHC identifies concerns about a vendor’s security posture or compliance, these are escalated to STH promptly.
- Parent Policy Mapping: STH Third Party Management Policy, Section 3.2
- SCF Mapping: TPM-02 (Third-Party Criticality Assessments)
3.3 Contracts and Business Associate Agreements
Section titled “3.3 Contracts and Business Associate Agreements”All vendor contracts are negotiated and executed under STH authority. FRHC does not independently execute vendor contracts. Where a vendor accesses, processes, or stores ePHI on FRHC’s behalf, STH ensures a Business Associate Agreement (BAA) is in place prior to any data access. FRHC coordinates with STH to identify all vendors requiring BAAs. Contracts with vendors that handle personal information (as defined under 201 CMR 17.00) of Massachusetts residents — including vendors processing employee personal information such as payroll, HR, and benefits systems — must include written obligations requiring the vendor to maintain appropriate security measures consistent with 201 CMR 17.00.
- Parent Policy Mapping: STH Third Party Management Policy, Section 3.3
- SCF Mapping: TPM-04 (Third-Party Services)
3.4 Monitoring and Oversight
Section titled “3.4 Monitoring and Oversight”STH oversees ongoing vendor monitoring, including collection of SOC 2 Type II reports, HIPAA attestations, and periodic security reviews. FRHC supports monitoring activities by escalating any vendor-related performance issues, security concerns, or changes in vendor scope to STH immediately. FRHC does not independently monitor vendors outside of STH’s program.
- Parent Policy Mapping: STH Third Party Management Policy, Section 3.4
- SCF Mapping: TPM-05 (Third-Party Contract Requirements)
3.5 Termination of Vendor Relationships
Section titled “3.5 Termination of Vendor Relationships”Vendor termination and off-boarding activities are coordinated by STH. FRHC notifies STH when a vendor relationship is ending or when vendor access should be revoked, and cooperates with the termination process including confirming data return or destruction requirements. FRHC does not independently manage vendor termination.
- Parent Policy Mapping: STH Third Party Management Policy, Section 3.5
- SCF Mapping: TPM-08 (Review of Third-Party Services)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC participates in STH’s vendor management governance program by submitting new vendor requests through STH’s process, cooperating with risk assessments, and promptly escalating concerns. FRHC management reviews active FRHC vendor relationships at least annually to confirm alignment with STH’s centralized inventory and BAA register. Evidence supporting FRHC vendor management compliance is retained within STH’s centralized records and made available for SOC 2 Type II audits and HIPAA Security Rule compliance assessments.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Third Party Management Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(b) – Business Associate Contracts and Other Arrangements
- AICPA SOC 2 Trust Services Criteria:
- Risk Mitigation (CC9.2)
- Vendor Management (CC3.1)
- Massachusetts 201 CMR 17.00: §17.03(2)(f) – Contractual Requirements for Third-Party Service Providers
Framework Alignment:
- TPM-01 – Third-Party Management
- TPM-02 – Third-Party Criticality Assessments
- TPM-04 – Third-Party Services
- TPM-05 – Third-Party Contract Requirements
- TPM-08 – Review of Third-Party Services
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | July 2021 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Added 201 CMR 17.00 vendor contract requirement (§3.3); added MA regulatory citation | April 2026 | M Machin |
