DEV Community

TiltedLunar123
TiltedLunar123

Posted on

MOU or MOA? Stop guessing on the Security+ vendor agreement questions

Most people study SY0-701 like the whole thing is malware and port numbers. Then Domain 5 shows up.

Security Program Management and Oversight is 20% of the exam. Roughly one question in five. It is also where I watch confident studiers go quiet, because the material reads like paperwork rather than security.

The worst offender inside it is the agreement pile. SLA, MOU, MOA, MSA, SOW, WO, NDA, BPA. Eight acronyms. All of them are contracts of some kind, and every one of them is plausible in a question stem. Memorizing eight definitions and hoping the right one surfaces under exam pressure does not work. What works is a decoder.

Put four of them on a ladder

These are not eight unrelated documents. Several sit on a line that runs from "we broadly agree" to "here is exactly what you owe me by Friday."

MOU, memorandum of understanding. The loose end. Two organizations write down the broad goals of working together. Informal. Often not even a signed contract.

MOA, memorandum of agreement. One step up. It describes the relationship in more detail, and both sides are actually agreeing to what is in it.

MSA, master service agreement. Now it is a real legal contract. It sets standing terms between the two organizations so that future work does not need a fresh negotiation every time.

SOW or WO, statement of work or work order. The specifics that hang off the MSA. It names the scope and the location, and it lists every deliverable against a date. This is the document that says what is actually getting done.

That ladder covers the pair people mix up most (MOU and MOA) and the pair people mix up second most (MSA and SOW).

The other four are single-purpose

SLA, service level agreement. Numbers. Uptime. Response time. Whatever minimum service level the vendor is promising. If a stem mentions 99.9% availability or a four hour response window, you are being asked about an SLA and the rest of the question is decoration.

NDA, non-disclosure agreement. Secrecy. It exists so both sides can talk about trade secrets and internal systems without that information walking out the door.

BPA, business partners agreement. The money, and the divorce clause. It covers the financial arrangement between partners and what happens when the partnership goes wrong.

You may also see ISA (interconnection security agreement) in older material about federal network connections. Know the name. Do not spend a night on it.

The decoder

Read the stem and ask one thing: what is the vendor being held to?

  • Held to a number? SLA.
  • Sworn to silence? NDA.
  • Owes a specific deliverable on a specific date? SOW or WO.
  • Bound to the general terms of doing business together over time? MSA.
  • Promising nothing yet, because you are still describing intentions? MOU, and MOA once those intentions get detailed and mutual.
  • Taking a share of the money? BPA.

Almost every agreement question collapses into that list. CompTIA does not want a lawyer. It wants you to notice that the stem described an uptime target rather than a set of intentions.

Agreements are only half the objective

The other half is what you do before and after you sign. Follow the vendor through a lifecycle and it stops being a word list.

Before you sign. Due diligence, which means you actually look into the vendor instead of trusting the sales deck. Conflict of interest, which means the person picking the vendor should not have a personal stake in that vendor. Supply chain analysis, because your vendor has vendors, and their bad day becomes your incident.

Proving they are secure. Here is where points get thrown away, because four answer choices look interchangeable. They are distinct.

  • Right-to-audit clause. A contract term that gives you permission to inspect them. You write it before you need it. When a stem is about your authority to look, rather than the looking itself, this is the answer.
  • Evidence of internal audits. Their own audit results, produced by their own people. Cheap and useful, but self-graded.
  • Independent assessment. A third party they do not control produces the finding. Higher trust than internal.
  • Penetration testing. Someone actively tries to break in.

Try this one. A vendor keeps stalling every time you ask to review their controls, and your contract says nothing about inspections. What failed? Your monitoring program is not the problem here. The failure happened at contract time, and the fix you skipped was the right-to-audit clause.

After you sign. Vendor monitoring, because a vendor who was solid at signing can drift. Questionnaires, which are the cheap recurring version of monitoring. Rules of engagement, which set scope and boundaries before anyone tests anything, so your pen test does not turn into somebody's incident response call at 2am.

How to drill this

Do not build eight flashcards with eight definitions. That is what everyone does, and it is why these questions still feel like a coin flip on exam day. Build scenarios instead.

Write ten stems that describe a situation with no acronym anywhere in it, then answer each with a document.

  • A cloud provider commits to restoring service within four hours of an outage.
  • Two universities publish a shared research intent, with no contract behind it.
  • A contractor is engaged for one migration, with a delivery date and a deliverables list.
  • A startup wants to show a potential acquirer its architecture without that architecture leaking.

Practice the translation, because translation is the actual exam skill. The definitions were never the hard part.

If you want the scenario reps without writing them yourself, the practice bank at secplusmastery.com covers Domain 5 alongside the other four domains, and the free diagnostic at secplusmastery.com/diagnostic will show you fast whether governance is the domain quietly costing you the exam. For a lot of people, it is.

Top comments (0)