These are great questions, but I first want to clarify what you said about third-party tiering. High, medium/moderate, and low are typically used as a tier system, but critical shouldn't be used as a risk rating. Criticality is a classification, or a ...