Skip to content

26.4: Sector-Specific Regulations

While horizontal regulations like the EU Cyber Resilience Act apply across industries, many sectors face additional supply chain security requirements tailored to their unique risk profiles. Financial institutions manage systemic risk that could destabilize economies. Healthcare organizations protect life-critical systems and sensitive patient data. Critical infrastructure operators maintain services essential to national security and public safety. Defense contractors handle classified information and weapons systems.

These sector-specific regulations often predate the broader supply chain security focus triggered by SolarWinds, reflecting longstanding recognition that certain industries require heightened scrutiny. However, recent updates have incorporated modern supply chain concerns—software composition analysis, SBOM requirements, and continuous monitoring—into frameworks originally designed for traditional vendor risk management. Understanding these sector-specific requirements is essential for organizations operating in regulated industries or supplying software to them.

Financial Services

The financial services sector maintains perhaps the most mature third-party risk management regulatory framework, developed over decades of supervisory attention to outsourcing and vendor relationships. Recent updates have explicitly incorporated software supply chain concerns.

OCC Third-Party Risk Management Guidance

The Office of the Comptroller of the Currency (OCC) issued updated third-party risk management guidance in June 2023, jointly with the Federal Reserve and FDIC. This guidance explicitly addresses technology supply chains:

"A bank should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships, including relationships with technology service providers and software vendors."

Key requirements include:

  • Due diligence on third-party security practices before engagement, including assessment of the third party's own supply chain management
  • Contractual provisions requiring security controls, incident notification, and audit rights
  • Ongoing monitoring of third-party security posture throughout the relationship
  • Concentration risk assessment when multiple critical functions depend on common suppliers or software components

The guidance specifically addresses fourth-party risk—the risk that a bank's direct vendors rely on subcontractors whose security failures could affect the bank. This chain of dependencies mirrors software supply chain concerns: a bank using financial software depends not only on the software vendor but on every open source component that vendor incorporates.

FFIEC Guidance

The Federal Financial Institutions Examination Council (FFIEC) provides examination procedures that examiners use to assess bank compliance. The IT Examination Handbook includes specific procedures for evaluating:

  • Software acquisition and development practices
  • Third-party technology service provider management
  • Patch management and vulnerability remediation
  • Change management for software systems

Examiners increasingly ask about software composition, dependency management, and SBOM capabilities during examinations. While not yet codified in formal requirements, these examination practices signal regulatory expectations.

EU Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA), effective January 17, 2025, establishes comprehensive ICT risk management requirements for EU financial entities. DORA explicitly addresses ICT third-party risk, including software supply chain considerations.

Key DORA provisions include:

  • ICT third-party risk management framework: Financial entities must maintain policies for managing ICT service providers, including software vendors
  • Register of information: Entities must maintain a register of all contractual arrangements with ICT third-party providers
  • Concentration risk: Assessment required for critical ICT providers serving multiple functions or entities
  • Exit strategies: Mandatory planning for transitioning away from third-party providers
  • Incident reporting: ICT-related incidents, including those originating from third parties, must be reported to competent authorities

DORA designates certain ICT providers as critical third-party providers (CTPPs) subject to direct oversight by European Supervisory Authorities. Major cloud providers and software vendors serving multiple financial entities may receive this designation, requiring them to undergo regulatory examination.

For software vendors serving EU financial institutions, DORA effectively extends regulatory requirements beyond the financial entities themselves. Contracts must include provisions enabling financial entities to meet their DORA obligations, including audit rights, incident notification, and exit assistance.

Healthcare

Healthcare organizations face supply chain security requirements from multiple directions: protecting patient data under HIPAA, ensuring medical device safety under FDA authority, and increasingly, managing cybersecurity risk to clinical operations.

HIPAA Business Associate Agreements

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities (healthcare providers, health plans, clearinghouses) to enter Business Associate Agreements (BAAs) with vendors who access protected health information (PHI). While HIPAA predates modern supply chain security concerns, BAA requirements create a contractual framework for extending security obligations to software vendors.

BAAs must require business associates to:

  • Implement appropriate safeguards to protect PHI
  • Report security incidents and breaches
  • Ensure subcontractors (including software component providers) agree to equivalent protections
  • Make practices available for audit

The subcontractor requirement creates a chain of responsibility analogous to software supply chain obligations. A healthcare organization using electronic health record (EHR) software must have a BAA with the EHR vendor; that vendor must have agreements with cloud providers, component suppliers, and other parties accessing PHI.

HHS Office for Civil Rights (OCR) enforcement has increasingly focused on vendor-related breaches. The 2023 MOVEit vulnerability, which affected numerous healthcare organizations through their file transfer vendors, demonstrated how supply chain compromises propagate through the healthcare ecosystem.

FDA Medical Device Cybersecurity Guidance

The Food and Drug Administration (FDA) regulates medical devices, including software as a medical device (SaMD). FDA guidance documents establish cybersecurity expectations for device manufacturers, with specific attention to software supply chains.

The FDA's Premarket Cybersecurity Guidance (September 2023) requires medical device manufacturers to:

  • Provide an SBOM for all commercial, open source, and off-the-shelf software components
  • Document known vulnerabilities and their exploitation status
  • Demonstrate a secure product development framework aligned with recognized standards
  • Establish processes for postmarket vulnerability management

The SBOM requirement is particularly significant—FDA explicitly requires machine-readable SBOMs in standardized formats (SPDX or CycloneDX) as part of premarket submissions for cyber devices.

For postmarket requirements, manufacturers must:

  • Monitor components for newly discovered vulnerabilities
  • Assess vulnerability impact on device safety and effectiveness
  • Provide timely updates and communicate with users
  • Report certain vulnerabilities to FDA

The FDA's authority to refuse device clearance creates strong incentives for compliance. Manufacturers cannot simply accept supply chain security risk—they must demonstrate adequate controls to gain market access.

Critical Infrastructure

Critical infrastructure sectors face sector-specific regulations reflecting their essential role in national security and public safety. Recent high-profile attacks—Colonial Pipeline, water treatment facilities, power grid intrusions—have accelerated regulatory activity.

NERC CIP Standards

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards establish mandatory cybersecurity requirements for the bulk electric system. CIP-013 specifically addresses supply chain risk management.

CIP-013 requires responsible entities to:

  • Develop and implement supply chain cybersecurity risk management plans
  • Assess and manage risks from vendor remote access
  • Address software integrity and authenticity verification
  • Manage risks from vendor-provided information system services

The standard requires entities to include security provisions in procurement contracts, conduct vendor security assessments, and verify the integrity of software and firmware before installation on critical systems.

NERC CIP standards carry mandatory compliance obligations with potential penalties for violations. Enforcement actions following audits have included multi-million dollar penalties, creating strong compliance incentives.

TSA Pipeline Security Directives

Following the May 2021 Colonial Pipeline ransomware attack—which disrupted fuel supplies across the southeastern United States—the Transportation Security Administration (TSA) issued emergency security directives for pipeline operators.

Security Directive Pipeline-2021-02 and subsequent updates require:

  • Identification of critical cyber systems
  • Implementation of specific cybersecurity measures
  • Contingency and recovery planning
  • Cybersecurity architecture design reviews

The directives explicitly address supply chain security, requiring operators to evaluate third-party risks and implement appropriate mitigations. Pipeline operators must assess the cybersecurity practices of vendors with access to operational technology systems.

TSA has indicated intent to incorporate these emergency requirements into permanent regulations through the rulemaking process, potentially expanding obligations and providing more specific supply chain requirements.

Defense Industrial Base

Organizations providing products and services to the Department of Defense face stringent supply chain security requirements reflecting national security concerns.

Cybersecurity Maturity Model Certification (CMMC) 2.0

The Cybersecurity Maturity Model Certification (CMMC) program establishes cybersecurity requirements for defense contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). CMMC 2.0, finalized in October 2024, streamlines the original five-level model into three tiers:

Level 1 (Foundational): 15 basic cyber hygiene practices for FCI protection. Self-assessment permitted.

Level 2 (Advanced): 110 practices aligned with NIST SP 800-171 for CUI protection. Assessment by C3PAOs (CMMC Third-Party Assessment Organizations) required for critical programs; self-assessment permitted for non-critical programs.

Level 3 (Expert): 134 practices based on NIST SP 800-172 for CUI on highest-priority programs. Government-led assessments required.

Supply chain security requirements appear throughout CMMC, including:

  • SC.L2-3.13.1: Monitor, control, and protect organizational communications at external boundaries and key internal boundaries
  • SR.L2-3.17.1: Develop a plan for managing supply chain risks
  • SR.L2-3.17.2: Identify, prioritize, and assess suppliers and contractor supply chains

CMMC's flow-down requirements extend obligations through the supply chain. Prime contractors must ensure subcontractors achieve appropriate certification levels, creating cascading compliance requirements.

DFARS 252.204-7012

The Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012) requires contractors to:

  • Implement NIST SP 800-171 security requirements
  • Report cyber incidents within 72 hours
  • Provide access to equipment and information for forensic analysis
  • Flow down requirements to subcontractors

This clause applies to all contractors handling CUI, creating baseline supply chain security obligations even before CMMC assessments.

Telecommunications

The telecommunications sector faces growing supply chain security attention driven by concerns about foreign adversary access to communications infrastructure.

FCC Supply Chain Rules

The Federal Communications Commission (FCC) has implemented multiple supply chain security measures:

Covered List: The FCC maintains a list of communications equipment and services that pose unacceptable national security risks. Equipment from Huawei, ZTE, and other designated entities may not be purchased using federal funds, and the Secure and Trusted Communications Networks Act established a reimbursement program for "rip and replace" of covered equipment.

Supply Chain Integrity Certification: Recipients of FCC universal service support must certify they do not use covered equipment or services.

Equipment Authorization: The FCC has revoked equipment authorizations for certain foreign-manufactured devices and enhanced review procedures for new authorizations.

These requirements primarily address hardware supply chain concerns but extend to software embedded in communications equipment. The FCC's actions reflect broader government concern about adversary access to telecommunications infrastructure through supply chain compromise.

Automotive

The automotive industry faces rapidly evolving cybersecurity requirements as vehicles become increasingly software-defined and connected.

UN Regulation 155 (UN R155)

UN Regulation 155 establishes mandatory cybersecurity requirements for vehicle type approval in jurisdictions adopting UN regulations (including the EU, Japan, South Korea, and others). Effective July 2022 for new vehicle types, the regulation requires manufacturers to:

  • Implement a Cybersecurity Management System (CSMS) covering the vehicle lifecycle
  • Demonstrate cybersecurity risk management in vehicle design
  • Detect and respond to cybersecurity attacks
  • Provide security updates throughout the vehicle lifecycle

UN R155 explicitly addresses supply chain security:

"The vehicle manufacturer shall demonstrate that processes used for their Cyber Security Management System ensure supply chain related security is addressed... including subcontractors, service providers, and other third parties."

UN Regulation 156 (UN R156) addresses software update management, requiring manufacturers to implement secure update processes and maintain software identification throughout the vehicle lifecycle—effectively requiring automotive SBOMs.

ISO/SAE 21434

ISO/SAE 21434:2021, "Road vehicles — Cybersecurity engineering," provides the engineering framework referenced by UN R155. The standard addresses supply chain security throughout the engineering lifecycle:

  • Clause 7: Distributed cybersecurity activities across suppliers
  • Clause 9: Continuous cybersecurity activities including monitoring
  • Clause 15: Cybersecurity requirements for suppliers and third parties

Automotive manufacturers must flow security requirements to tier-1 suppliers, who in turn flow requirements to tier-2 and tier-3 suppliers. The complexity of automotive supply chains—with thousands of suppliers contributing to a single vehicle—makes this cascading requirement particularly challenging.

Sector Comparison

The following table summarizes key supply chain security requirements across regulated sectors:

Sector Primary Regulations SBOM Required Third-Party Assessment Incident Reporting
Financial Services OCC Guidance, FFIEC, DORA Emerging Contractual Yes (DORA: 4-24 hrs initial, 72 hrs intermediate)
Healthcare HIPAA, FDA Guidance Yes (FDA devices) BAA contractual Yes (HIPAA breach rule)
Electric Utilities NERC CIP-013 Emerging NERC audits Yes (CIP-008)
Pipelines TSA Directives Emerging TSA inspections Yes (24 hours)
Defense CMMC, DFARS Emerging C3PAO (Level 2-3) Yes (72 hours)
Telecommunications FCC Rules No Certification Limited
Automotive UN R155/R156, ISO 21434 Effective (R156) Type approval Manufacturer-specific

Several trends appear across sector-specific regulations:

Convergence toward common frameworks: Sector regulations increasingly reference NIST frameworks as implementation guidance. CMMC maps directly to NIST SP 800-171. FDA guidance references NIST CSF. Financial regulators point to NIST publications. This convergence simplifies compliance for organizations operating across sectors.

Explicit software supply chain attention: While traditional vendor risk management focused on service providers and outsourcing, recent regulatory updates explicitly address software components, open source dependencies, and SBOM requirements. This shift reflects recognition that software composition creates risks distinct from traditional vendor relationships.

Extended liability chains: Regulations increasingly require flowing security obligations through supply chains. Prime contractors must ensure subcontractor compliance. Device manufacturers must assess component suppliers. Financial institutions must evaluate fourth-party risks. This extended liability creates market pressure for supply chain security improvements.

Incident reporting acceleration: Reporting timelines have compressed dramatically—from "as soon as practical" to specific hour requirements. DORA mandates initial notification within 24 hours. DFARS requires 72-hour reporting. TSA directives specify 24-hour notification. These compressed timelines require pre-established processes and continuous monitoring capabilities.

Third-party assessment normalization: Independent assessment requirements have expanded beyond traditional audit sectors. CMMC requires third-party assessments for critical programs. Automotive type approval requires manufacturer CSMS verification. FDA requests third-party testing evidence. Organizations should anticipate assessment requirements even in sectors without current mandates.

We recommend organizations operating in regulated industries:

  1. Map all applicable requirements across horizontal regulations (EO 14028, CRA) and sector-specific obligations
  2. Identify common controls that satisfy multiple requirements, avoiding duplicative compliance efforts
  3. Establish unified third-party risk management that addresses both service provider and software supplier risks
  4. Implement SBOM capabilities proactively, anticipating formal requirements across sectors
  5. Prepare incident reporting procedures meeting the most stringent applicable timeline
  6. Engage regulators constructively as requirements evolve, providing practical implementation feedback