🔗 Management of third parties and supply chains
How to manage the risks posed by suppliers, service providers and software dependence by international practice (ISO 27036, NIST SP 800-161, NIS2, DORA, CRA, SLSA). Examples are fictional, intended for teaching.
Why It Is Important
Extended attack surface - each third introduces risk
Risks to third parties
Risk to the organisation from external suppliers, service providers and software components with access to your data, systems or processes. You remain responsible for the consequences, even if the third party is guilty.
Related standards
ISO/IEC 27036 (supplier relationship security), NIST SP 800-161 (C-SCRM), NIST CSF function 2.0 GOVERN (GV.SC), NIS2 21 (2) (d), DORA (financial ICT third party), CRA (product security).
Fourth party risk
Your suppliers (4th/nth side) and the risk of concentration (too much dependence on one cloud or service) often remain invisible, but may stop operation just like a direct incident.
Third Party Life Cycle
TPRM life cycle with continuous revaluation
Pre-contractual due diligence
Prior to cooperation, the security status of the supplier shall be assessed: Shared Assessments SIG, independent opinions (SOC 2 Type II, ISO 27001 certificate), summaries of penetration tests and financial stability.
Contract safeguard clauses
Data processing contract (DPA, Article 28 GDPR), SLA with security objectives, right to audit, deadlines for notification of incidents, approval of sub-processors and data return/removal shall be terminated.
Continuous monitoring
One questionnaire is not enough - the security situation is changing. Use security ratings, vulnerability warnings, certificate validity tracking and risk-based periodic reassessment (the more critical, the more common).
Tiering and due diligence depth
Criticality classification determines test depth
Why Tiering
All suppliers are not equally risky. Classification allows you to focus limited resources on the most critical - deep examination where the consequences are greatest, easy where the risk is minimal.
Standardised questionnaires
Shared Assessments SIG (Standardized Information Gathering) - industry standard questionnaire for assessment of safety status. SIG Lite for lower risk, SIG Core for deeper testing. CAIQ (Cloud) for cloud services.
Independent opinions
SOC 2 Type II (AICPA) - effectiveness of control over the time period. ISO/IEC 27001 certificate - ISMS compliance. ISAE 3402 for international services. They reduce the need for own audit.
Software supply chain
Software supply chain - attacks and defences
SBOM - List of constituents
Software Bill of Materials - machine-readable list of all software components and dependencies (formats SPDX, CycloneDX). Lets quickly determine whether you are affected by a new vulnerability (e.g. Log4Shell).cyb3r.help: make sbom.
SLSA and signing
SLSA (OpenSSF) - building integrity levels with provenance (evidence of origin). Signing artefacts with Sigstore/cosign allows verifying that the package comes from a reliable building and is not counterfeit.
Dependent hygiene
Pinning/lockfiles (reproducible build), SCA scan (OWASP Dependency-Check, pip-audit, Trivy), monitoring of transitive dependence and evaluation of the health of the OpenSSF Scorecard project before implementation.
Standards and regulation
Landscape of supply chain security standards
NIS2 - Legal requirement
Article 21 (2) (d) of the NIS2 Directive (EU 2022/2555) provides for supply chain security as a mandatory risk management measure, including security aspects in relation to direct suppliers and service providers.
ISO 27036 and NIST 800-161
ISO/IEC 27036 provides a governance framework for the security of supplier relationships. NIST SP 800-161 (C-SCRM) - detailed practices for managing cybersecurity supply chain risks at system and organisation level.
DORA and CRA
DORA regulates the supervision of financial sector ICT third party risk and critical service providers. Cyber Resilience Act (CRA) imposes safety requirements on manufacturers of products with digital elements across the EU market.
Practical controls
Three-layer controls + invisible risks
The Treaty is the first line of protection
The security requirements must be incorporated into the contract before signing - it is difficult to add them later. Data processing contract, SLA with measurable security objectives, audit authority and clear incident notification deadlines.
Technical insulation
Give the supplier only the necessary (lat privilege), isolate his access (segmentation, Zero Trust), request MFA and log operations. It limits injury when the supplier is compromised.
Planned exit from the beginning
Concentration and fourth party risk require exit/substitution plans and business continuity testing. The supplier's incident is your incident - including suppliers in the incident response plan and training.