Supply Chain Risk Management
Apply Supply Chain Risk Management (SCRM) concepts
Your security is only as strong as your weakest supplier. Supply Chain Risk Management (SCRM) covers the entire lifecycle of third-party dependencies:
SBOMs (Software Bill of Materials) — inventory of all software components for vulnerability tracking.
Silicon Root of Trust — hardware-level firmware verification to prevent tampering.
Third-party assessments — SOC 2, ISO 27001 audits to validate vendor security posture.
Vendor SLAs — minimum security requirements in contracts with enforceable accountability.
Right-to-audit clauses — contractual right to inspect vendor security practices.
The 2024 exam update expanded SCRM significantly. This is no longer a footnote — expect direct questions on SBOMs and silicon root of trust.
At a mature organization, SCRM spans the entire vendor relationship:
- Pre-acquisition: Vendor security assessment before any contract is signed. Security questionnaires, evidence of SOC 2 Type II certification, review of their incident response capabilities.
- Contract stage: SBOM requirements written into all software contracts. Right-to-audit clauses for critical vendors. Minimum security standards (encryption, access controls, patching cadence) specified in SLAs.
- Ongoing monitoring: Annual SOC 2 Type II report reviews. Continuous monitoring of vendor security posture through threat intelligence feeds. Regular SBOM updates to track new vulnerabilities in third-party components.
- Hardware integrity: Silicon root of trust verification for all hardware procurement. Trusted Platform Modules (TPMs) to validate firmware hasn't been tampered with during manufacturing or shipping.
The Log4j vulnerability (2021) proved why SBOMs matter: organizations without a component inventory had no way to know if they were exposed. Those with SBOMs could assess impact within hours.
| SCRM Control | What It Does | Why It Matters |
|---|---|---|
| SBOM | Inventory of all software components | Enables vulnerability tracking (Log4j scenario) |
| Silicon Root of Trust | Hardware-level firmware verification | Prevents supply chain tampering at the chip level |
| Third-Party Assessment | SOC 2, ISO 27001 audits | Validates vendor security posture independently |
| SLA Requirements | Minimum security requirements in contracts | Creates enforceable accountability |
| Right to Audit | Contractual right to inspect vendor | Ensures ongoing compliance verification |
The 2024 exam update makes SCRM a first-class topic. SBOMs and silicon root of trust are explicitly in the exam outline. If you see a question about "listing all open-source components" — that's an SBOM. If you see "hardware-level firmware integrity" — that's silicon root of trust.
A new SaaS vendor offers a great product, but there's a security gap in the contract.
The Missing SBOM
Enterprise · SaaS procurement · Contract reviewIn practice, many vendors still resist providing SBOMs. They cite proprietary concerns or simply don't maintain one. The security team's job is to make the business case: without component visibility, you can't assess supply chain risk. Executive orders (like US EO 14028) are pushing SBOMs toward becoming industry standard.
On the exam: SCRM questions test whether you understand that vendor risk is your risk. The manager's role is to build security requirements into contracts, not to block vendors outright.
A critical vendor that handles your customer payment data refuses to allow your internal security audit, citing proprietary technology concerns. They offer their most recent SOC 2 Type II report as an alternative. Your contract doesn't include a right-to-audit clause (it was signed before your SCRM program existed).
Block the vendor until they allow your audit
Payment data is too sensitive. You need direct verification of their security controls, not a report they paid for.
Accept SOC 2 Type II + establish strict SLAs
A third-party audit is an accepted alternative. Add right-to-audit to the next contract renewal and establish compensating controls.
Option B is correct — enable the business while managing risk
Option B: A SOC 2 Type II report is a rigorous third-party assessment conducted by an independent auditor over a period of months. It's an accepted alternative to direct audits — and many large vendors (AWS, Azure, Salesforce) operate this way. The manager's approach: accept the report, negotiate a right-to-audit clause into the next contract renewal, and establish strict SLAs with security requirements and breach notification timelines.
Option A's kernel of truth: Direct audits provide the deepest assurance. For the most critical vendors, pushing for audit rights is appropriate. But blocking a critical vendor disrupts business operations — and SOC 2 Type II is widely accepted as sufficient evidence of security posture.
On the exam: "Think like a manager" means finding solutions that satisfy both security and business needs. SOC 2 Type II + contractual improvements is a mature, balanced response.
When you see "inventory of components" or "list of open-source libraries": That's an SBOM. When you see "hardware firmware verification" or "chip-level integrity": that's silicon root of trust. When you see "vendor security certification" or "independent audit report": that's a third-party assessment (SOC 2/ISO 27001). The exam describes the control in plain language and expects you to name it.
- A Service Level Agreement (SLA)
- B Software Bill of Materials (SBOM)
- C Silicon Root of Trust
- D Capability Maturity Model (CMM)
Correct: B. An SBOM (Software Bill of Materials) is an inventory of all software components, including open-source libraries, used in a product. It's explicitly in the 2024 CISSP exam outline. An SLA defines service requirements (not component lists). Silicon root of trust is hardware-level verification. CMM measures process maturity, not software composition.