Thanks, Charles. Actually, as I did more research, I think I understand what is needed by the vulnerability assessment now and need to work on creating a rating chart for them. One axis will be how likely a problem is to occur with a particular vendor and the other axis is how catastrophic a problem with that vendor would be to the company, right?
The other issue, which I incorrectly called Vendor checklist, should be "Approved Supplier" program which is in section 5.19. The first question really applies to 5.19 as well.
You are correct that 5.15 is the Food Defense program, and I need to come up with a VA form as well. I found a nice document for FCIS compliance (not AIB) and it has precautionary measures but no vulnerability assessment. If you have anything that would address that requirement, I would very much appreciate it!