Supply Chain Risk Management: Vendor Assessment, Due Diligence, and SLAs

Supply chain risk management addresses security risks from third-party vendors, suppliers, and partners. A vendor with weak security can become a backdoor into your organization.

The Importance of Supply Chain Security

The 2020 SolarWinds attack demonstrated supply chain risk at scale: attackers compromised the software build pipeline of SolarWinds (an IT management vendor), inserting malicious code into a trusted software update. Thousands of organizations that trusted SolarWinds were compromised.

Supply chain risks include: compromised hardware (malicious chips or firmware), compromised software (tainted updates or dependencies), counterfeit components, vendor data breaches, insecure APIs, and subcontractor vulnerabilities.

Organizations must assess not just their direct vendors, but the vendor's vendors — risk propagates through the chain.

  • SolarWinds: supply chain attack through trusted vendor software update
  • Risk extends to your vendor's vendors
  • Trust but verify: don't assume vendor security is adequate
  • Supply chain attacks bypass traditional perimeter defenses

Vendor Assessment and Due Diligence

Vendor assessment evaluates a potential vendor's security posture before signing a contract. Due diligence is the investigative process of verifying claims.

Assessment methods: vendor security questionnaires (standardized questions about security practices), penetration testing (hiring independent testers against vendor systems), SOC 2 reports (audited controls report), certifications (ISO 27001, FedRAMP), and reference checks.

Key evaluation areas: data protection (encryption, access controls), incident response (capability and history), compliance (relevant regulations), business continuity (vendor resilience), financial stability (risk of vendor failure), and subcontractor security (who the vendor uses).

  • Vendor assessment: evaluate security before contract signing
  • Due diligence: verify claims through independent investigation
  • SOC 2 Type II: audited controls over time — best evidence
  • Assess: data protection, incident response, compliance, financial stability
  • Ongoing monitoring: reassess vendors periodically, not just at onboarding

Legal and Contractual Controls

SLA (Service Level Agreement) — defines the expected service levels from the vendor. Security-relevant SLAs include uptime guarantees, incident response times, data restoration times, and notification requirements.

NDA (Non-Disclosure Agreement) — legally prevents the vendor from disclosing confidential information. Essential when sharing sensitive data or internal details during vendor evaluation.

MOU (Memorandum of Understanding) — a non-binding agreement outlining the intention to work together. Often a precursor to a formal contract.

BPA (Business Partnership Agreement) or MSA (Master Service Agreement) — the master contract governing the relationship.

Key contract provisions: right to audit (can you assess the vendor?), data ownership (who owns the data?), breach notification (timing and process), data return/deletion (when contract ends), and liability/indemnification (who pays if things go wrong).

  • SLA: service levels — uptime, response times, security commitments
  • NDA: prevents disclosure of confidential information
  • Right to audit: critical provision — ability to verify vendor security
  • Breach notification: defines when and how vendor reports incidents
  • Data return/deletion: vendor must return or destroy data when contract ends

Software Supply Chain Security

Modern software relies heavily on open-source dependencies and third-party libraries. A vulnerability in any dependency can affect all applications using it.

Software bill of materials (SBOM) — a formal inventory of all components in a software product. SBOMs enable organizations to quickly identify if they're affected by newly discovered vulnerabilities.

Software supply chain controls: dependency scanning (automated tools that check for vulnerable libraries), code signing (verify software integrity), secure build pipelines (hardened CI/CD), reproducible builds (anyone can verify the build process), and vendor security reviews (like SLSA levels).

  • SBOM: inventory of all software components — enables vulnerability response
  • Dependency scanning: detect vulnerable libraries (OWASP Dependency Check, Snyk)
  • Code signing: ensure software hasn't been tampered with after build
  • SLSA (Supply-chain Levels for Software Artifacts): security framework for build pipelines

Exam Tip

Know the key documents: SLA (service levels), NDA (confidentiality), MOU (intent to work together). Vendor assessment = evaluating security before contracting. Due diligence = verifying claims. SolarWinds is the canonical supply chain attack example.