Do vendor-specific security requirements exist that take into account the specific potential risk a given vendor may impart?