2.4.2. Supply Chain Risk Management (SCRM)
💡 First Principle: Every piece of hardware, software, and service your organization relies on was built, assembled, or configured by people outside your direct control — and each of those outside parties represents a potential attack vector. SCRM manages the security of the trust relationships you've built with your supply chain.
Supply chain threat categories:
| Threat | Description | Example |
|---|---|---|
| Counterfeit products | Fake hardware/software sold as legitimate | Counterfeit Cisco routers with backdoors |
| Tampered hardware | Legitimate product modified during manufacturing or shipping | Hardware implants added to server motherboards |
| Compromised software | Legitimate software modified to include malicious functionality | SolarWinds Orion update containing SUNBURST backdoor |
| Dependency confusion | Malicious package substituted for a private internal package name | 2021 attacks on 35+ major companies via npm/PyPI |
| Vendor compromise | Attacker gains access via trusted third party | Target breach via HVAC vendor credentials (2013) |
| Vulnerable components | Legitimate but unpatched third-party components | Log4Shell in thousands of applications |
Key SCRM controls:
Software Bill of Materials (SBOM) — A formal, machine-readable inventory of all components in a piece of software: open-source libraries, commercial components, their versions, and known vulnerabilities. Executive Order 14028 (2021) now requires SBOMs for software sold to the US federal government. An SBOM enables rapid response when a new vulnerability is discovered in a component — you can immediately determine which of your products are affected.
Silicon Root of Trust — Hardware-level security anchor: a cryptographic measurement of the initial boot state is embedded in tamper-resistant hardware. Any modification to the boot firmware or bootloader changes the measurement, and the system will refuse to boot or alert. Prevents hardware/firmware supply chain tampering from persisting undetected.
Physically Unclonable Function (PUF) — Hardware-based device fingerprint derived from manufacturing variations. Each device has a unique PUF response to a challenge that cannot be cloned — used to authenticate hardware identity even without a pre-embedded secret.
Third-party risk management program components:
- Vendor classification — Tier suppliers by criticality and access level (critical infrastructure providers get more scrutiny than office supply vendors)
- Security questionnaires — Assess vendor security posture before onboarding (CAIQ, SIG, or custom)
- Contractual requirements — Minimum security requirements, right to audit, breach notification obligations in SLAs and MSAs
- Ongoing monitoring — Continuous monitoring of vendor security ratings (BitSight, SecurityScorecard), breach news, CVE disclosures in their products
- Incident response coordination — Defined process for joint IR when a vendor is compromised
⚠️ Exam Trap: Outsourcing to a vendor does not transfer your organization's regulatory accountability. If a payment processor you use is breached and cardholder data is exposed, your organization faces PCI DSS liability even though the processor held the data. Due diligence before contracting and contractual security requirements are your legal protection.
Reflection Question: Your organization uses a third-party library in your payment processing application that has just been found to contain a critical remote code execution vulnerability. You have no SBOM. Walk through the steps you would need to take, and explain how having an SBOM would have changed your response time and completeness.
