Part of our Infosec policy requires that we do a SAS 70 review of any high risk third party vendors. I am getting some gap letters and some letters saying that since the SAS 70 is getting phased out they will not be pursuing a new one. Any suggestions with how to deal with this?