Recent software supply chain attacks have prompted the United States Senate to pass legislation bolstering cybersecurity training for federal procurement personnel. The Supply Chain Security Training Act mandates that agencies assess and mitigate supply chain risk throughout the acquisition lifecycle. The Department of Homeland Security, NIST, and other federal agencies are tasked with coordinating and enforcing this program.
Managing software supply chain risks requires not only securing your organization against direct attacks but also mitigating the risk of third-party and Nth-party data breaches that could disrupt your business.
Your software supply chain refers to the applications that you use to provide services to your customers. In third-party risk management, software supply chain security involves identifying possible vulnerabilities in the underlying components within those applications and assessing their likelihood of being manipulated by cybercriminals.
Tighter cybersecurity provisions are essential to strengthening supply chain risk management, and we suggest all organizations – not just federal agencies – consider implementing the following best practices.
To minimize the risk of third-party software supply chain disruptions, require solution providers to share information about their software development lifecycle, including:
While initial assessments can come from vendor questionnaires, these only provide a snapshot in time. Complement your supplier assessments with continuously updated vendor risk data from sources including:
By keeping track of these intelligence sources, you maintain up-to-date insight into your suppliers' vulnerabilities, moving from static to dynamic supplier risk assessments.
However, beware of building an overly complex and potentially expensive risk-monitoring program. With hundreds of potential sources of cybersecurity and reputational intelligence, it’s easy to quickly become overwhelmed with uncorrelated data from disparate, separately licensed sources.
Choose platforms that centralize inputs from multiple intelligence sources, corroborate assessment outcomes, and meaningfully report on potential vendor risk exposure.
Navigating the Vendor Risk Lifecycle: Keys to Success
This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 20+ years of experience working with hundreds of customers.
Visibility decreases the further upstream you go in your supply chain, which can conceal risks like
ransomware attacks and security breaches. Gaining visibility into your extended vendor ecosystem can reveal relationships where your data is handled, but this information can be time-consuming to gather and quickly outdated.
To uncover these risks, construct comprehensive vendor profiles using a third-party assessment platform. These should include key vendor information such as location, fourth parties, deployed technologies, as well as external supplier perimeter scanning data. The outcome will be a relationship map that easily identifies technology concentration risk, so you’ll be better prepared when the next SolarWinds happens.
When a large-scale software supply chain breach occurs, the natural first question to ask is, “Are we impacted?” followed quickly by, “Are our third parties impacted?” We saw this scenario play out several times with breaches such as SolarWinds and Kaseya. Having comprehensive vendor profiles, as described in best practice above, will put you in a great position to quickly answer that question.
However, when it comes time to determine a vendor’s exposure and mitigation plans, many organizations are disadvantaged – using spreadsheets to assess and triage risks across potentially hundreds of supply chain partners.
Here are a few steps for taking a smarter, faster approach to incident response:
A manual, reactive stance on software vulnerabilities is not enough. Implementing these best practices will better position you for the next supply chain security challenge.
For more on how Prevalent can help reduce supply chain risk at every stage of the vendor lifecycle, read our white paper Navigating the Vendor Risk Lifecycle, or request a demo for a strategy session today.
2025 promises to be a consequential year for third-party risk management. Read our top TPRM predictions...
12/12/2024
Learn how a third-party risk management (TPRM) policy can protect your organization from vendor-related risks.
11/08/2024
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
10/17/2024