25.1 Evaluating Vendor Supply Chain Practices¶
The software you purchase includes software your vendors purchased—and software their vendors purchased. The SolarWinds attack demonstrated this vividly: organizations that had never heard of SolarWinds Orion discovered they were exposed because their vendors used it.1 Your security posture is only as strong as the weakest link in your extended supply chain, making vendor supply chain evaluation essential for managing organizational risk.
Traditional vendor security assessments focus on data handling, access controls, and incident response. Supply chain security adds new dimensions: How do vendors build their software? What dependencies do they include? How do they verify the integrity of their releases? These questions require different evaluation approaches than conventional third-party risk management.
This section provides a framework for assessing vendor supply chain security practices—during procurement, contract negotiation, and ongoing relationships.
Due Diligence Questionnaires¶
Questionnaires remain the foundation of vendor security assessment, providing structured information collection at scale. Several frameworks address supply chain security with varying depth and focus.
Questionnaire framework comparison:
| Framework | Focus | Supply Chain Coverage | Best For |
|---|---|---|---|
| SIG (Standardized Information Gathering) | Comprehensive security | Moderate; software development lifecycle section | General vendor assessment with security depth |
| CAIQ (Consensus Assessment Initiative Questionnaire) | Cloud security | Limited direct coverage; some DevOps questions | Cloud service providers |
| NIST 800-161 | Supply chain risk | Comprehensive; purpose-built | Critical suppliers, government contractors |
| Custom supply chain | Targeted assessment | Deep, specific coverage | High-criticality vendors |
SIG Questionnaire:
The Shared Assessments SIG questionnaire is widely accepted and includes software development and third-party management sections. Key supply chain-relevant domains:
- Application Security (Domain H): Secure development practices
- Third Party Management (Domain T): Vendor's vendor management
- System Development (Domain L): SDLC practices
Note: The SIG questionnaire has been updated in 2023-2024 to include "Nth Party Management" and "Supply Chain Risk Management" domains specifically addressing modern supply chain concerns. Even with these additions, supplement with supply chain-specific questions for comprehensive coverage.
CAIQ (CSA):
The Cloud Security Alliance's CAIQ aligns with the Cloud Controls Matrix (CCM) and focuses on cloud service security. Supply chain coverage is indirect:
- DevOps security controls
- Change management
- Vulnerability management
Limitation: CAIQ assumes cloud/SaaS context; less applicable to software products.
Supply chain-specific questionnaire additions:
Standard questionnaires need supplementation. Key questions to add:
# Software Composition and Dependencies
1. Do you maintain a Software Bill of Materials (SBOM) for your products?
- If yes, what format (`SPDX`, `CycloneDX`)?
- Can you provide SBOMs to customers upon request?
2. How do you evaluate third-party and open source components before inclusion?
- What criteria do you use (security, maintenance, license)?
3. How do you monitor dependencies for newly disclosed vulnerabilities?
- What is your SLA for addressing critical vulnerabilities in dependencies?
## Build and Release Integrity
4. What SLSA level do your build processes achieve?
- Do you generate and publish build provenance?
5. How do you ensure the integrity of your release artifacts?
- Are releases signed? What signing mechanism?
- How can customers verify signatures?
6. Who has access to publish releases? How is that access controlled?
## Supply Chain Incident Response
7. How would you detect a compromise of your build system?
8. Describe your process for notifying customers of supply chain incidents.
9. Have you experienced any supply chain security incidents in the past 3 years?
- If yes, describe and explain remediation.
Evidence Collection¶
Questionnaire responses are claims; evidence validates them. For supply chain security, specific artifacts demonstrate practice maturity.
Evidence request templates:
| Evidence Type | What to Request | What It Demonstrates |
|---|---|---|
| SBOM | SBOM for the product you're purchasing | Transparency; enables your own vulnerability tracking |
| Build provenance | SLSA provenance attestations | Build integrity; verifiable build process |
| Signing certificates | Public keys or certificates used for signing | Release integrity verification capability |
| Vulnerability management SLA | Documented policy with timelines | Commitment to timely remediation |
| Dependency policy | Written policy on evaluating/approving dependencies | Proactive risk management |
| Audit reports | SOC 2 Type II, ISO 27001, relevant sections | Independent validation of controls |
| Penetration test results | Summary or full report (redacted) | External validation of security |
| Security certifications | OpenSSF Best Practices Badge, SLSA certification | Industry-recognized maturity indicators |
SBOM request template:
Subject: SBOM Request for [Product Name]
As part of our vendor security evaluation, we request a Software
Bill of Materials (SBOM) for [Product Name] version [X.Y.Z].
Requested format: `CycloneDX` 1.7+ or `SPDX` 2.3+ (JSON preferred)
Required information:
- All direct and transitive dependencies
- Version information for each component
- License information
- Supplier/author information where available
We will use this SBOM to:
- Evaluate supply chain risk during procurement
- Monitor for vulnerabilities during our use of the product
- Meet our compliance and risk management requirements
Please provide the SBOM within [timeframe] or indicate if you
cannot provide one and why.
Evaluating evidence quality:
| Quality Indicator | Strong Evidence | Weak Evidence |
|---|---|---|
| Completeness | All dependencies, including transitive | Only direct dependencies |
| Currency | Current version, regularly updated | Old version, unknown update frequency |
| Format | Standard formats (SPDX, CycloneDX) |
Custom or proprietary format |
| Verification | Signed attestations, third-party validation | Self-reported claims only |
| Accessibility | Available on request or published | Requires negotiation or unavailable |
Assessing Vendor Maturity¶
Beyond checking boxes, assess overall supply chain security maturity. Frameworks like SLSA (Supply-chain Levels for Software Artifacts) and OpenSSF Scorecard provide structured evaluation criteria.
Maturity assessment criteria:
SLSA (Supply-chain Levels for Software Artifacts):
SLSA provides graduated levels of build integrity assurance:
| Level | Requirements | What It Means |
|---|---|---|
| SLSA 1 | Documented build process, provenance exists | Basic hygiene; better than nothing |
| SLSA 2 | Hosted build, signed provenance | Reduced risk of build tampering |
| SLSA 3 | Hardened build, non-falsifiable provenance | Strong protection against sophisticated attacks |
Ask vendors: "What SLSA level do your build processes achieve? Can you provide provenance attestations?"
OpenSSF Scorecard:
For vendors whose products include open source (most do), OpenSSF Scorecard provides automated assessment of repository security practices:
| Check | What It Evaluates |
|---|---|
| Branch-Protection | Are branches protected from direct pushes? |
| Code-Review | Are changes reviewed before merge? |
| Dangerous-Workflow | Are workflows protected from script injection? |
| Dependency-Update-Tool | Are dependencies kept current? |
| Signed-Releases | Are releases cryptographically signed? |
| Vulnerabilities | Are there unfixed vulnerabilities? |
For vendors with public repositories, you can run Scorecard yourself: scorecard --repo=github.com/vendor/product
Maturity levels for vendor evaluation:
| Maturity | Characteristics | Suitable For |
|---|---|---|
| Initial | No formal practices, reactive, no SBOMs | Only non-critical, low-risk use cases |
| Developing | Some practices, basic scanning, can provide SBOMs | Low-to-medium criticality with risk acceptance |
| Defined | Documented policies, regular scanning, SBOMs standard | Medium criticality |
| Managed | SLSA 2+, provenance, proactive monitoring | High criticality |
| Optimized | SLSA 3, comprehensive program, continuous improvement | Critical infrastructure |
Assessment Methodology Options¶
Questionnaires and evidence review are desk-based. For critical vendors, deeper assessment may be warranted.
On-site and remote assessments:
| Method | When to Use | What You Learn |
|---|---|---|
| Document review | All vendors | Policies and procedures on paper |
| Remote interview | Medium+ criticality | How well staff understand and apply practices |
| Technical demonstration | High criticality | Actual tool usage, process execution |
| On-site assessment | Critical vendors | Physical security, cultural indicators |
| Third-party audit | Critical vendors, regulatory requirement | Independent validation |
Remote assessment structure:
For vendors that warrant deeper assessment but don't justify on-site visits:
- Pre-assessment (1 week before):
- Send questionnaire and evidence requests
- Review documentation
-
Prepare targeted questions
-
Assessment call (1-2 hours):
- Introduction and scope confirmation
- Walk through key processes (build, release, vulnerability management)
- Technical demonstration if possible
-
Clarifying questions on questionnaire responses
-
Follow-up (1 week after):
- Request additional evidence
- Clarify discrepancies
- Document findings
Assessment interview questions:
## Build Process
- Walk me through how a code change becomes a released product
- Who can approve changes? Who can trigger builds? Who can publish releases?
- What happens if someone attempts an unauthorized release?
## Dependency Management
- How do you decide whether to add a new dependency?
- Show me how you learn about vulnerabilities in your dependencies
- What's your process when a critical vulnerability is disclosed?
## Incident Response
- Describe your most recent security incident (sanitized)
- How would you know if your build system were compromised?
- How would you notify customers of a supply chain issue?
Continuous Monitoring vs. Point-in-Time Assessment¶
Initial assessment provides a snapshot; continuous monitoring provides ongoing visibility.
Continuous monitoring approaches:
| Approach | What It Monitors | Tools/Methods |
|---|---|---|
| SBOM tracking | Changes in vendor's dependencies, new vulnerabilities | Your vulnerability management platform correlating vendor SBOMs |
| Security ratings | Vendor's external security posture | SecurityScorecard, BitSight, RiskRecon |
| Breach monitoring | Public disclosure of vendor incidents | News alerts, threat intelligence feeds |
| Certificate monitoring | Vendor's signing infrastructure | Certificate transparency logs |
| Repository monitoring | Changes in public repositories | GitHub watch, Scorecard scheduled scans |
Continuous monitoring program:
| Vendor Tier | Initial Assessment | Continuous Monitoring | Re-assessment |
|---|---|---|---|
| Critical | Full assessment, on-site possible | Active SBOM tracking, security ratings, real-time alerts | Annual |
| High | Detailed questionnaire, remote interview | Security ratings, breach monitoring | Every 18 months |
| Medium | Standard questionnaire, evidence review | Security ratings, periodic spot-checks | Every 2 years |
| Low | Abbreviated questionnaire | Breach monitoring only | Every 3 years or on renewal |
Triggering reassessment:
Re-evaluate vendors outside normal cycles when: - Security incident reported (theirs or in their supply chain) - Major product changes - Acquisition or ownership change - Significant organizational restructuring - Contract renewal - Elevated use of vendor product
Red Flags and Deal-Breakers¶
Some findings should give pause; others should stop procurement.
Red flag indicators:
| Finding | Severity | Response |
|---|---|---|
| Cannot produce SBOM | High | Serious concern for any software product |
| No vulnerability management process | High | Unacceptable for production software |
| Releases not signed | Medium | Expect remediation within defined timeframe |
| No incident response plan | High | Concerning for any critical vendor |
| Prior breaches handled poorly | Very High | May be disqualifying |
| Resistance to security questions | High | Indicates cultural or capability issues |
| Subcontractor security unknown | Medium-High | Supply chain risk extends to their vendors |
| Developers have direct production access | Medium | Concerning for segregation of duties |
| No multi-factor authentication for releases | High | Elevated account takeover risk |
Deal-breakers (consider stopping procurement):
- History of supply chain incidents with inadequate response
- Inability to articulate software development security practices
- No incident notification capability or commitment
- Refuses to provide any security evidence
- Use of known-compromised dependencies without remediation plan
- Legal or contractual resistance to security requirements
Contextualizing findings:
Not every gap is disqualifying. Consider: - Criticality of the vendor: Higher criticality demands higher standards - Nature of the gap: Process gaps may be addressable; cultural gaps are harder - Vendor's response: Defensiveness vs. acknowledgment and improvement plans - Available alternatives: Can you get this capability elsewhere? - Compensating controls: Can you mitigate the risk through your own controls?
Vendor Tiering by Criticality¶
Not all vendors require the same scrutiny. Tier vendors to focus effort appropriately.
Vendor tiering by criticality:
| Tier | Criteria | Assessment Approach |
|---|---|---|
| Critical | Core business systems, customer-facing, contains sensitive data, hard to replace | Full assessment, ongoing monitoring, contractual requirements, executive relationship |
| High | Important functions, significant data access, moderate replacement difficulty | Detailed assessment, regular monitoring, contractual requirements |
| Medium | Standard business functions, limited data access, alternatives available | Standard assessment, periodic review |
| Low | Minor functions, no sensitive access, easily replaced | Abbreviated assessment, spot checks |
Tiering criteria:
Evaluate vendors across dimensions:
| Dimension | Questions |
|---|---|
| Data access | What data does the vendor access or process? How sensitive? |
| System access | What systems can the vendor access? How privileged? |
| Integration depth | How deeply integrated is the vendor product? |
| Business impact | What happens if the vendor is unavailable or compromised? |
| Replaceability | How difficult would it be to switch vendors? |
| Regulatory exposure | Does vendor relationship trigger compliance requirements? |
Tiering example:
Critical:
- Core ERP system vendor
- Customer identity provider
- Primary cloud infrastructure
High:
- Development tools (IDE, CI/CD platforms)
- Security tooling vendors
- Customer communication platforms
Medium:
- HR systems
- Internal productivity tools
- Marketing technology
Low:
- Office supplies
- Facility management
- Non-integrated SaaS tools
Recommendations¶
We recommend the following approach to vendor supply chain evaluation:
-
Supplement standard questionnaires with supply chain-specific questions: SIG and CAIQ provide foundation but lack depth on modern supply chain concerns. Add questions about SBOMs, build integrity, and dependency management.
-
Request evidence, not just responses: Questionnaire answers are claims. Request SBOMs, provenance attestations, and audit reports that validate practices.
-
Use maturity frameworks for assessment: SLSA levels and OpenSSF Scorecard provide structured, industry-recognized criteria for evaluating supply chain security maturity.
-
Tier vendors by criticality: Allocate assessment effort proportionally. Critical vendors warrant deep assessment and continuous monitoring; low-risk vendors need abbreviated review.
-
Implement continuous monitoring for critical vendors: Point-in-time assessment decays immediately. Track vendor SBOMs, security ratings, and breach disclosures continuously.
-
Define red flags and deal-breakers before assessment: Know what findings are unacceptable before you start. This prevents pressure to overlook serious issues during procurement.
-
Document and communicate requirements early: Share your supply chain security expectations during RFP. This filters out unprepared vendors and gives serious vendors time to prepare evidence.
-
Treat assessment as relationship-building: The goal isn't to catch vendors failing—it's to establish mutual understanding of security expectations and build confidence in the relationship.
Vendor supply chain evaluation is an evolving discipline. As supply chain attacks increase, expectations will rise. Vendors who invest in supply chain security today will be better positioned for procurement conversations tomorrow—and organizations that evaluate rigorously will face lower risk from their extended supply chain.
-
CISA Emergency Directive 21-01, "Mitigate SolarWinds Orion Code Compromise," December 2020, https://www.cisa.gov/news-events/directives/ed-21-01-mitigate-solarwinds-orion-code-compromise; analysis of downstream vendor exposure in federal agencies. ↩