Recent Breaches
Breaches
View All →
All Control Blueprints
FIRE + VAULTCP-03Path and asset together

Control Third-Party Access

Give third parties access without giving them a permanent doorway.

All Blueprints
What it does

Give third parties access without giving them a permanent doorway.

Where it fits

Time-bounded vendor and supplier access

Who uses it

Financial services, Healthcare, Energy, Public sector

CP-03 topology

How CP-03 controls third-party access.

A FIRE+VAULT pattern. The vendor path is severed by default and exists only as a validated, time-bound Relay session, with every artefact preserved.

Grounded in NIS2 Art. 21(2)(d), DORA Art. 28-30 and ISO 27001 A.5.15, A.5.19.

Z0

Vendor or supplier

External party

Vendor or supplier zone

External party seeking a maintenance window

ValidateRelayLock

Request validated. Window opened for the engagement only.

Z1

Maintenance edge

The only

Maintenance edge zone

The only place a vendor session ever lands

ExecuteTransferArchive

Changes scoped, recorded and revocable on signal.

Z2

Managed estate

The systems

Managed estate zone

The systems the vendor is allowed to touch

OSS

Crown jewels · detail callout

Session evidence archive

Every vendor session, command and artefact preserved offline for audit and dispute.

Modules & symbols

ValidateIntegrity check
RelayTime-bound path
LockNamed access
ExecuteApproved action
TransferControlled move
ArchiveDisconnected copy
ConduitEnforced module path
┄┄┄
Crown jewelsOffline · detail callout
How it reads end to end

Validate checks the request before any door opens. Relay creates a controlled, time-bound access window. Lock ensures only approved users, roles or conditions can use it. Transfer governs what moves between environments, Archive preserves the activity for audit and Execute can revoke the path on signal.

Sector relevance
Financial servicesHealthcareEnergyPublic sector
Mark Fermor
David Bailey
Kenny Phipps
Online Now
Concierge

Build control around your environment

Talk to our team about composing this Blueprint for your estate.

Takes about 2 minutes. No account needed.

Free2 minsNo sign-up

    Firevault

    Firevault is Offline Secure Storage. Hardware you own, physically disconnected by default, with KYC-verified access. Ransomware-proof by design, not by patch.

    © 2026 Firevault Limited. Disconnect to Protect®