How do I know if this applies to me?

This applies to any person’s employed by the University or the Medical Center that plan to utilize a third party to do work with the University or Medical Center regardless if those services are paid for or not.

How do I request a security assessment of a third-party engagement?

Go to You will be asked to fill out the forms and begin the process with the 3rd Party. You will hear back within 2-3 week of initiating the request.

What username and password do I use?

This application utilizes your Active Directory (AD) account and password.

Who is a Sponsor?

Anyone who is engaging with a third party, who needs an Information Security Risk and Compliance review done on the engagement.

Who is a Third Party?

An outside entity wanting to engage with UR/URMC while providing a device, application, network connectivity and/or data use/exchange.

What should I do if my third party does not want to use this application?

As per the University’s Information Security policy Data Security Classification Policy all third parties dealing with University High Risk or Moderate Risk are subject to a security assessment.

Reiterate to the third party this is a standard for our institution. If the third party requires an NDA or is still not willing to utilize the application, please escalate to or

What if the contact I have for the third party is not the contact needed to complete the questionnaire?

The third party contact will be able to add additional contacts to complete the questionnaire.

What if the third party disagrees with the pre questionnaire answers?

The sponsor will receive email notification. The sponsor will need correct the submission in 3PA to move forward.

Can I upload additional documentation?

Yes, both the sponsor and the third party will be able to upload additional documentation.

Who do I contact for questions related to 3PA?

Any support related questions need to be escalated to University Information Technology (UIT) or