**4.3 Service provider requirements**

Service providers and vendors may be subject to different potential cybersecurity risk requirements than the actual provider or covered entity. If a covered entity works with a service provider, it should have proper agreements and risk mitigations in place. Two major sources of such agreements are: business associate agreements (BAAs) and other agreements, such as non-disclosure agreements. Let us examine both in the following subsections.
