6.3.2. Agreement Types

💡 First Principle: Contracts are the enforcement mechanism for third-party security requirements. Without contractual obligations, vendor security commitments are good intentions, not enforceable requirements. Each agreement type serves a different purpose, and the exam expects you to match the scenario to the correct agreement.

Service Level Agreement (SLA) — defines measurable performance requirements: uptime (99.9%), response time (< 200ms), incident notification timelines (within 24 hours), and penalties for non-compliance (service credits, termination rights). SLAs put teeth into vendor commitments because failure has financial consequences.

Memorandum of Agreement (MOA) / Memorandum of Understanding (MOU) — documents shared understanding and intent between parties. MOAs are typically more formal and may be legally binding; MOUs establish intent without strict legal enforcement. Often used between government agencies or between departments within the same organization.

Master Service Agreement (MSA) — overarching contract governing the entire relationship. Includes liability, intellectual property, dispute resolution, confidentiality, and termination provisions. Individual projects are executed under the MSA through work orders or SOWs — you don't renegotiate the entire relationship for each project.

Business Partners Agreement (BPA) — defines the relationship between business partners, including shared responsibilities, revenue sharing, liability allocation, and exit provisions.

Non-Disclosure Agreement (NDA) — legally binding agreement protecting confidential information shared between parties. Prevents vendors from disclosing your proprietary data, architecture, or security findings. NDAs should be signed before sharing any sensitive information during vendor assessment.

Work Order / Statement of Work (SOW) — specifies the particular work to be performed under the master agreement. Includes scope, deliverables, timelines, acceptance criteria, and payment terms. SOWs define what gets done for how much; the MSA defines the legal framework governing how the work relationship operates.

⚠️ Exam Trap: SLA = measurable performance requirements with penalties for non-compliance. MOU = mutual understanding without strict enforcement. NDA = confidentiality protection. MSA = overarching relationship terms. SOW = specific project scope under the MSA. Know which agreement type matches the scenario described in the question.