When an exam scenario describes an agreement, work through these five questions in order:
- Are there measurable performance standards AND financial penalties for non-performance? Yes = SLA
- Does it govern a partnership with equity/revenue sharing? Yes = BPA
- Is the primary purpose confidentiality of shared information? Yes = NDA (then determine type)
- Is it a long-term framework governing all future projects? Yes = MSA. Is it a specific project under an MSA? Yes = WO/SOW
- Is it documenting intent or cooperation without binding obligations? Broad intent = MOU. Specific commitments = MOA
Most exam scenarios have one or two obvious identifiers. Look for: "financial penalty" (SLA), "ownership stake" (BPA), "confidentiality" (NDA), "framework for all future work" (MSA), "specific deliverables and schedule" (SOW), "not legally binding / intent" (MOU), "specific commitments / conditionally binding" (MOA).
The MOU/MOA distinction is subtle and frequently tested. One question separates them:
"Are specific deliverables, responsibilities, and timelines defined?"
- No, just broad shared goals: MOU — "We agree to share threat intelligence and cooperate on security matters"
- Yes, specific things each party commits to do: MOA — "Agency A will deliver weekly threat reports; Agency B will share IOCs within 24 hours of detection; both parties will participate in quarterly reviews"
Binding force test: neither MOU nor MOA is a full legal contract with enforceable remedies. But MOA has conditional binding: parties must honor the specific commitments they made. Violating an MOU has no consequence; violating an MOA may constitute breach of good faith even if no legal damages apply.
Common context: both MOU and MOA are heavily used in government, military, and interagency contexts. When a scenario involves two government agencies or departments, the default is usually MOU (broad cooperation) or MOA (specific program cooperation).
NDA type is determined entirely by the direction of information flow:
- Unilateral: ONE party discloses → ONLY the receiving party is bound. "Company A shares secret formula with Lab B for testing; Lab B promises confidentiality, Company A does not."
- Bilateral (Mutual): BOTH parties disclose → BOTH are bound. "Company A and Company B discuss a potential merger; both share financials; both promise confidentiality."
- Multilateral: THREE OR MORE parties → ALL are bound. "Five pharmaceutical companies form a research consortium; all share proprietary compound data; all parties promise confidentiality to each other."
The key exam indicator: count how many parties are sharing confidential information. One = unilateral. Two = bilateral. Three or more = multilateral.
Always required for NDAs: formal written document, authorized signatures, definition of what constitutes confidential information, duration of the obligation, and exclusions (publicly available information is typically excluded). An NDA without signatures is not legally enforceable.
MSA and Work Order scenarios always come as a pair. The key exam point: they serve different but complementary purposes and you need BOTH for any significant engagement.
- MSA (signed once): the legal infrastructure for the entire relationship. Covers terms, conditions, liability, IP, payment, and governing law that apply to ALL future work. You do not want to renegotiate these fundamental terms for each project.
- WO/SOW (issued for each project): the specific project document. References the MSA (inheriting its terms) and adds project-specific details: this scope, this schedule, these deliverables, this price, these acceptance criteria.
Exam trap: "The company is starting a new penetration test engagement. They have an MSA in place. Which document is also needed?" Answer: a Statement of Work (SOW) specifying this pen test's scope, schedule, deliverables, and price. The MSA alone does not authorize specific work.
Exam trap 2: "The company signs a document specifying a $50,000 penetration test with defined scope. Is this the MSA?" No — this is a SOW/WO. The MSA covers the general terms; the SOW covers this specific engagement.
Practice Scenarios
Classify each of the following agreements and explain the key identifier: (A) Two hospitals agree to share patient surge capacity during disasters; the document describes the general intent to cooperate without specifying penalties or financial terms. (B) A technology company and a cybersecurity firm sign a document in which the cybersecurity firm promises to keep all vulnerability findings confidential; the tech company makes no such promise because it will not be receiving any confidential information from the cybersecurity firm. (C) An HR software vendor guarantees 99.95% uptime for its system and offers a 20% service credit for any month where availability falls below 99.5%. (D) A managed security services company signs a framework agreement covering payment terms, IP ownership, liability caps, and governing law that will apply to all future engagements. (E) A venture capital firm and a startup sign a document specifying the VC's 40% ownership stake, board seat rights, anti-dilution provisions, and the process for management disputes.
Answer: (A) MOU. Key identifiers: two parties (hospitals), general intent to cooperate (patient surge sharing), no financial penalties, no specific deliverables or timelines, not a binding legal contract. The document establishes shared willingness to cooperate in principle; specific terms would be worked out during an actual surge event. (B) Unilateral NDA. Key identifiers: only one party (the cybersecurity firm) is bound by confidentiality; only one party (the tech company) is disclosing confidential information (vulnerability findings). The confidentiality obligation flows in one direction only. The tech company has no confidential information flowing to it, so it has no confidentiality obligation to the cybersecurity firm. (C) SLA. Key identifiers: specific measurable performance standard (99.95% uptime), financial penalty for non-performance (20% service credit for months below 99.5%). The financial penalty provision is the defining SLA characteristic. (D) MSA. Key identifiers: framework covering all future engagements, standard terms (payment, IP, liability, governing law) that apply to all work, not specific to any one project. The language "all future engagements" and the general terms (not specific deliverables) identify this as an MSA. (E) BPA. Key identifiers: ownership stake (40%), governance rights (board seat), protective provisions (anti-dilution), dispute resolution for partners. This governs a partnership/investment relationship, not a customer-vendor service relationship. The ownership stake and governance rights are BPA-specific.
A healthcare system is engaging a managed security service provider (MSSP) for a 3-year relationship covering security monitoring, incident response support, vulnerability management, and an annual penetration test. Design the complete agreement package: which agreement types are needed, what each covers, and what security-specific provisions must be included.
Answer: The complete agreement package requires four documents: (1) NDA (signed first, before any substantive discussions). Type: Bilateral (mutual) NDA because both parties will share confidential information: the healthcare system shares patient data handling details and security architecture; the MSSP shares their tools, methodologies, and proprietary monitoring technology. Duration: term of the engagement plus 5 years post-termination. Must cover: vulnerability findings, network topology, security architecture, patient data scope, and MSSP's proprietary processes. (2) MSA (the framework contract). Covers: payment terms (monthly retainer plus incident response hourly rates), liability limitations ($5M cap), IP ownership (all deliverables and findings belong to the healthcare system), governing law (healthcare system's state), dispute resolution (arbitration), 3-year term with renewal option. Security provisions required: minimum security standards the MSSP must maintain for its own infrastructure and personnel, right-to-audit clause (healthcare system may audit MSSP's security controls), breach notification within 4 hours if the MSSP discovers an incident affecting the healthcare system, personnel background check requirements for all staff with access to healthcare system data, HIPAA Business Associate Agreement (legally required since MSSP will access PHI during monitoring). (3) SLA (defines performance standards, referenced in MSA or as an exhibit). Must include: security monitoring SLA (100% of critical alerts acknowledged within 15 minutes, triaged within 30 minutes), vulnerability management SLA (critical vulnerabilities reported within 4 hours, high within 24 hours), uptime guarantee for monitoring infrastructure (99.9%), incident response engagement SLA (team on-site or remote within 4 hours for confirmed critical incidents), financial penalties for SLA violations (service credits, right to terminate for persistent SLA failure). (4) SOW for annual penetration test. Covers: scope (external perimeter, internal network, web applications listed by name), schedule (January annually, duration 10 business days), authorized techniques (black-box external, gray-box internal; no social engineering without additional approval), deliverable (executive summary + technical report in PTES format, within 10 business days of test completion), acceptance criteria (report must include all findings classified by CVSS score, with remediation recommendations), price ($75,000 per annual test).
A company has been working with a software development vendor for 6 months. They signed only a simple purchase order for the initial $50,000 project. The vendor now has access to the company's source code repository, customer database schemas, and internal API documentation. The relationship is expanding: the vendor wants to use the company's customer data to train their AI models. A dispute arises about who owns the code the vendor wrote. Identify all the agreement gaps and what documents should have been in place.
Answer: Multiple critical agreement gaps exist: (1) No MSA: a simple purchase order does not constitute a Master Service Agreement. The relationship lacked legal foundation covering IP ownership, liability, dispute resolution, and governing law. This is why there is now a dispute about code ownership — the purchase order almost certainly did not address who owns the intellectual property in work product created by the vendor. Required: a retroactive MSA clearly stating that all work product, code, and deliverables created by the vendor for this company are the company's intellectual property. (2) No NDA: the vendor has access to source code, database schemas, and API documentation — all of which are confidential and proprietary. No confidentiality obligation was established. The vendor could share this information with competitors or use it in other engagements. Required: a bilateral NDA (both parties share confidential information: company shares its systems; vendor shares its methodologies) that covers all disclosed information retroactively. Immediate concern: the NDA needs to be signed now and cover ongoing access. (3) No data processing agreement or usage restriction: the vendor wants to use customer data for AI model training. This is an entirely new purpose for the data that the company's customers did not consent to. Under GDPR (and potentially CCPA), using customer data for AI training requires: customer consent for this purpose, or a separate legal basis that likely does not exist. Required: explicit prohibition in the contract against using customer data for any purpose beyond the defined software development work. This must be addressed immediately before any data is used for AI training. (4) No SOW for expanded work: the initial purchase order covered the initial project only. Expanded work (additional features, maintenance, new systems) requires new SOWs under the MSA. Summary: the relationship should have started with: (1) NDA, (2) MSA with IP ownership (client owns work product) and data use restrictions, (3) SOW for specific project under the MSA. The absence of all three created the current disputes and risks.