I would say this is a good approach to focus your due diligence on domestic requirements. The vendor's headquarters in a different country generally wouldn't be considered in scope for TPRM unless you're working with them directly. Here are some suggestions on what to review during due diligence:
- Hiring policies – It's good to understand the vendor's hiring practices such as drug testing and background checks, which can give you better insight into the employees that may be interacting with your organization.
- OFAC/PEP checks – This would be important to identify the vendor's owners and management team and confirm they aren't affiliated with anyone on the sanctions list.
- Locations – The vendor should identify all of the locations that will directly support the product or service. This can help you understand any concentration risk that may exist so you can review their resiliency in each location. Locations are especially important to identify if the vendor is storing or transmitting any of your organization or customer's data because you'll need to consider different regulations around privacy.
These are just a few examples and there are many other items you may need to review, depending on the product or service.
I hope these suggestions are helpful and I'm interested to see what other members recommend in this situation.