Third Party Cybersecurity Compliance Certificate

The CCC Program was established to ensure all Aramco third parties are in compliance with the cybersecurity requirements as outlined in Aramco’s Third Party Cybersecurity Standard (SACS-002). All vendors are required to obtain the Cybersecurity Compliance Certification.

Complete the following steps in order to obtain your Aramco Cybersecurity Compliance Certificate (CCC):

STEP 1: Certification Requirements Preparation

• 1.1. For the registration phase all vendors are required to obtain cybersecurity compliance certification CCC — General Requirements
  
  
• 1.2. Initiate a request with the department/proponent in Aramco that your company has ongoing business with, to complete the Third Party Classification Template
  
  
• 1.3. Fill out the Third Party Classification Confirmation Letter
  
  • 1.3.1. If CCC & CCC+ are both applicable based on your company classification, then only the CCC+ application will be required/accepted
  • 1.3.1.1. Implement all applicable cybersecurity controls specified in Third Party Cybersecurity Standard
  • 1.3.2. If the company falls under more than one classification, then all the cybersecurity controls under the relevant/applicable classifications are required

STEP 2: Select an Authorized Audit Firm

• 2.1 Go to the CCC portal where you can select an Audit Firm.
  
  
• 2.2 Establish a contract with the Authorized Audit Firm (see list below) prior to assessment verification

STEP 3: Compliance Verification & Issuance

• 3.1 CCC
• 3.1.1. Conduct CCC Compliance Assessment
  
  • Fill out all of the fields in the Third Party Cybersecurity Compliance Report 
  • Ensure the answers are comprehensive, clearly described, and attach all the required supporting documents 
  • Ensure that all the evidence provided is readable and time stamped, and that proof of its relation to the Third Party is clearly pointed out/highlighted in the screenshots

• 3.1.2 The Authorized Audit Firm will verify the documents and generate the Third Party Cybersecurity Compliance Report

• 3.2 CCC+

• 3.2.1 Submit the completed documents
  • Third Party Classification Template
  • Third-Party Classification Confirmation Letter to the Authorized Audit Firm, prior to the assessment verification

• 3.2.2 Arrange with an Authorized Audit Firm to conduct the compliance on-site assessment
• 3.2.3 The Authorized Audit Firm will conduct the on-site assessment and generate the Cybersecurity Compliance Report and issue the Certificate

STEP 4: Submit Issued CCC

• 4.1. Submit the issued Certificate and Report from the Authorized Audit Firm to Aramco, through the e-marketplace system

STEP 5: CCC Validity & Renewal

• 5.1 CCC is valid for two years from the issuance date

• 5.1.1. If the company is awarded a new contract that involves a cybersecurity classification type not covered in the current valid certificate, then a new certificate needs to be obtained and submitted

• 5.1.2. Prior to the end of the two years, your company needs to submit a new CCC