What Is a Trusted Partner Network (TPN) Audit?

A studio will not hand an unreleased film to a post-production house on trust alone. Before a vendor touches a pre-release cut, a script, or dailies, the studio wants evidence that the vendor's facility, network, and people will not be the reason that content leaks. The Trusted Partner Network (TPN) audit is how that evidence gets produced: a structured assessment of a media and entertainment vendor against a published content security standard, run through a shared platform so every studio that vetted the vendor can read the same result.

This guide covers what a TPN audit actually is, who runs the program, what the assessor checks, the difference between the Gold and Blue paths, and how the assessment fits into a studio's broader third-party risk process. It is written for the security practitioners who have to pass one of these audits or interpret the results of one: facility security leads, IT and DevOps teams at vendors, and the analysts who own vendor risk on the studio side.

What is a TPN audit?

A TPN audit is a content security assessment of a media and entertainment service provider, measured against the Motion Picture Association (MPA) Content Security Best Practices. The Trusted Partner Network is the program that defines the standard, accredits the assessors, and hosts the results. It is a global, industry-wide content security initiative wholly owned by the MPA, launched in 2018 to give studios a common way to evaluate the security of the vendors in their supply chain.

The problem TPN solves is duplication. Before it existed, every major studio assessed its vendors independently, against its own checklist, on its own schedule. A vendor that worked with six studios faced six separate audits asking overlapping questions. TPN replaced that with one standard and one questionnaire: a vendor completes an assessment once, and any TPN member studio can review the result through the shared platform instead of starting a new audit from scratch. The MPA reports that this proactive model has significantly shortened onboarding timelines for new vendors.

The audit is not a pass or fail certificate. It is a documented snapshot of how a vendor's security controls map to the best practices, including the gaps. A studio reads that snapshot and decides whether the vendor's posture is acceptable for the work in question. A facility handling a theatrical release before its premiere faces a higher bar than one captioning content that is already public, and the audit gives the studio the detail to make that call rather than a single yes or no.

Who runs TPN, and what standard does it use?

TPN is owned and operated by the Motion Picture Association, the trade association whose members include Walt Disney Studios, Netflix, Paramount Pictures, Sony Pictures Entertainment, Universal, and Warner Bros. The MPA has published content security guidance for the industry for decades, and TPN is the program that operationalizes it into an assessable framework.

The standard the audit measures against is the MPA Content Security Best Practices. It is a detailed control set, maintained and versioned by the MPA, that a vendor maps its environment against during the assessment. The best practices are organized around the way content actually moves through a facility, covering areas such as the security management program and policies, physical security of the site, and digital and network security controls, including the increasingly important controls for cloud and application workflows. Each control describes an expected security outcome, and the assessment records whether the vendor meets it, partially meets it, or does not.

Because the threat changes, the standard changes. The MPA revises the best practices on a regular cadence, and the current published version governs any new assessment. Vendors are assessed against the edition in force at the time of the audit, not against whichever version they passed previously, which is why a shield from two years ago is not the same assurance as a current one.

The TPN assessment process

A TPN assessment follows a repeatable flow, whether the vendor is being assessed for the first time or renewing. The shape is the same: scope the environment, document the controls, have them verified, and publish the result to the studios that need it. The platform that carries all of this is TPN+, the program's membership and assessment system, where vendors maintain their profile and studios review outcomes.

The stages below describe a full assessed audit, the path that produces an independently verified result.

• Register and scope. The vendor joins TPN and defines the scope of the assessment: which site, which services, which systems and workflows are in play. Scope matters, because the audit only speaks to what was assessed. A vendor with three facilities does not get one shield covering all of them by default.
• Complete the questionnaire. The vendor works through the assessment questionnaire derived from the MPA Content Security Best Practices, documenting how each control is implemented and attaching the evidence that supports it: policies, configurations, diagrams, and records.
• Engage an accredited assessor. For an assessed audit, the vendor selects a TPN-accredited assessor, an independent third party trained and authorized by TPN to conduct assessments against the standard. The assessor is not the vendor and not the studio.
• On-site and technical verification. The assessor reviews the documented responses and verifies them against reality: walking the physical site, inspecting controls, reviewing configurations, and testing that what is written down is what is actually in place. The output is a findings report that records each control's status and any gaps.
• Remediate and publish. The vendor addresses findings where it can, and the completed assessment, including residual gaps, is published to the vendor's profile on TPN+. Member studios with a relationship to the vendor can then review it.
• Maintain and renew. A result reflects a point in time. Assessments are renewed on the program's cycle so the published posture stays current, and a vendor that lets its assessment lapse no longer presents an active result.

The assessor verifies controls, but it does not own the vendor's security. Remediation, evidence, and the ongoing posture are the vendor's responsibility. The audit measures; it does not fix.

Gold path vs Blue path

TPN's modern program splits into two routes, and the difference is who does the verifying. Choosing the right one depends on the assurance a studio requires and the certifications a vendor already holds.

The Gold path is the assessed audit described above. An accredited, independent assessor verifies the vendor's controls against the MPA Content Security Best Practices, including a review of the site and the technical environment. The result carries the weight of third-party validation, which is what a studio wants before trusting a vendor with high-value, pre-release content.

The Blue path is a self-attestation route. The vendor reports its own security posture and can map alternate, recognized security certifications it already holds to the TPN framework, rather than undergoing a fresh independent assessment for every control. Blue lowers the cost and effort of participation and suits lower-risk engagements or vendors whose existing certifications already cover much of the ground. The trade-off is assurance: a self-attestation is the vendor's word, supported by its evidence, not an independent verification of it.

Neither path is a universal answer. A studio sets the bar for a given piece of work, and a vendor picks the path that meets that bar at acceptable cost. The same vendor may hold a Gold result for its core finishing facility and rely on Blue self-attestation for a lower-risk service line.

What a TPN assessor actually checks

The questionnaire is long, but the controls cluster into a few areas that mirror how content can leak from a facility. Understanding the clusters is more useful than memorizing the line items, because it tells a vendor where to invest before the assessor arrives.

• Security management and governance. Does the vendor have a real security program: documented policies, an owner, risk management, incident response, and personnel security including background screening and training? Auditors look for a program that operates, not a binder that was written once. A documented but unpracticed incident response plan is a finding.
• Physical security. Who can get into the building, the machine rooms, and the areas where content is handled? Controls here cover access control to the site, visitor management, CCTV, alarm systems, and the handling and destruction of physical media. For a facility holding pre-release content, the physical perimeter is the first wall.
• Digital and network security. How is content protected at rest, in transit, and in use? This is the largest cluster: network segmentation, firewalls, restricting internet and removable-media access from systems that touch content, encryption, logging and monitoring, patch and vulnerability management, and tightly scoped access to content stores. Least-privilege access and strong authentication are recurring themes.
• Content handling and asset management. Can the vendor account for every copy of the content it holds: where it lives, who has touched it, and how it is disposed of when the work is done? Chain-of-custody and watermarking expectations live here.
• Cloud and application security. As post-production moved into the cloud, the best practices expanded to cover cloud workflows and the applications that handle content: secure cloud configuration, identity and access management for cloud resources, and the security of any application a vendor builds or operates to process content.

The recurring weak spots are the unglamorous ones. Over-broad access to content stores, flat networks where a single compromised workstation can reach the content, missing or unreviewed logs, and incident response plans that exist on paper but have never been exercised. These are the same gaps that turn up in any third-party security review, and the assessor is trained to look past the documentation to whether the control actually operates.

How a TPN audit fits into third-party risk

A TPN audit is one input into a studio's vendor risk decision, not the whole of it. The audit answers a specific question: does this vendor's content security posture meet the MPA standard for the scope assessed? It does not, on its own, tell a studio whether to engage the vendor. That decision weighs the audit result against the sensitivity of the work, the contract terms, and the studio's own appetite for risk.

This is why TPN sits inside a broader cybersecurity risk assessment rather than replacing it. The media supply chain is deep: a single film passes through editors, VFX houses, sound, localization, marketing, and distribution, each a separate vendor with its own access to the content. Every one of those vendors is a potential entry point, which makes the whole arrangement a textbook target for a supply chain attack. The TPN audit narrows that risk by raising the security floor across the network of partners, so a studio is not trusting each vendor blind.

The stakes are concrete. A leaked pre-release film or series can erase opening-weekend revenue and is, in security terms, a data breach of an asset whose value is highest precisely before release. High-profile leaks of unreleased episodes and films, several traced to weaknesses at post-production and distribution vendors, are what drove the studios to standardize vendor security in the first place. The audit exists because the cost of a single vendor's weak controls lands on the studio, not the vendor.

For a vendor, the practical takeaway is that the audit rewards a security program that already operates. The facilities that pass cleanly are not the ones that scrambled to write policies the week before; they are the ones whose access is already scoped, whose networks are already segmented, whose logs are already reviewed, and whose incident response plan has actually been run. The audit measures that posture. It does not create it.

The bottom line

A TPN audit assesses a media and entertainment vendor against the MPA Content Security Best Practices, through the MPA-owned Trusted Partner Network and its TPN+ platform. The Gold path is an independent, verified assessment by an accredited assessor and carries the higher assurance studios want for sensitive content; the Blue path is a self-attestation that lowers cost and effort for lower-risk work or vendors with existing certifications. The assessor checks security governance, physical security, digital and network controls, content handling, and cloud and application security, looking for controls that operate rather than documentation that merely exists.

The audit is a snapshot of posture against a moving standard, not a permanent certificate, which is why scope and currency matter as much as the result itself. For the studio, it raises the security floor across a deep and leak-prone supply chain. For the vendor, it rewards the security work done before the assessor walks in, and exposes the work that was only ever written down.

Frequently Asked Questions

What is a Trusted Partner Network (TPN) audit?

A TPN audit is a content security assessment of a media and entertainment vendor, measured against the Motion Picture Association's Content Security Best Practices. It is run through the Trusted Partner Network, a program owned by the MPA, so that studios can evaluate a vendor's security once and share the result rather than each running a separate audit.

Who owns and runs the Trusted Partner Network?

The Trusted Partner Network is wholly owned and operated by the Motion Picture Association (MPA), the trade body whose members include the major film and television studios. The MPA maintains the Content Security Best Practices that the audit measures against and accredits the independent assessors who perform assessed audits.

What is the difference between a TPN Gold and Blue assessment?

The Gold path is an assessed audit: an independent, TPN-accredited assessor verifies the vendor's controls on-site and technically against the best practices, producing a third-party validated result. The Blue path is a self-attestation in which the vendor reports its own posture and can map existing security certifications to the framework. Gold carries higher assurance; Blue is lower cost and suits lower-risk scope.

What does a TPN assessor check?

A TPN assessor checks controls across security management and governance, physical site security, digital and network security, content handling and asset management, and cloud and application security. The verification looks for controls that actually operate, walking the facility, reviewing configurations, and confirming that documented policies are implemented in practice.

Is a TPN audit mandatory?

TPN participation is not a legal requirement, but it is effectively required to do business with major studios that mandate it for their vendors. A studio sets the bar for a given engagement, and for sensitive content that bar commonly includes a current TPN assessment of the appropriate type, so vendors that want the work pursue one.

How long is a TPN assessment valid?

A TPN assessment reflects a point in time and is renewed on the program's cycle to keep the published posture current. A result also speaks only to the version of the best practices in force when it was performed, so a lapsed or older assessment provides weaker assurance than a current one against the latest standard.