What does the term 'flow-down controls' refer to in TPRM?

Flow-down controls are contractual obligations that require downstream providers and subcontractors to adopt the same security controls you require of your primary vendor. This ensures that protections and responsibilities extend through the entire supply chain, so any third parties handling data or systems on your behalf are bound to the same security standards. For example, if your vendor must use encryption and incident reporting, those requirements should also apply to any subcontractors they rely on. The other options don’t fit because flow-down controls aren’t about publicly sharing obligations, nor about limiting controls to internal teams, nor about ignoring subcontractor relationships. They’re specifically about passing and enforcing the same security responsibilities down the chain through contracts.