# TOP Mission SPH-D03: Supply Chain Security Vetting
Supply chain security vetting is the structured process of evaluating, scoring, and continuously monitoring the security posture of third-party vendors, technology suppliers, and managed service providers before and after they are granted access to organizational systems, data, or infrastructure. It exists because modern organizations inherit the security weaknesses of every entity in their supply chain, and attackers have demonstrated repeatedly that targeting a trusted supplier is often easier than attacking a hardened primary target directly.
Within the CDA Planetary Defense Model, this mission sits inside the Security Posture Hygiene (SPH) domain because supplier risk is a direct extension of the organization's own attack surface. Every API integration, every managed service agent installed on endpoints, and every cloud connector a vendor provisions represents a potential ingress point. The mission provides a repeatable, evidence-based framework for reducing third-party risk rather than accepting it passively through boilerplate contract language and annual questionnaires that no one validates.
This mission is distinct from procurement risk management, which focuses on financial and operational continuity factors like vendor solvency or delivery capacity. It is also distinct from legal vendor management, which addresses contract terms, liability clauses, and regulatory obligations. Supply chain security vetting is specifically concerned with the technical and operational security behaviors of third parties: their patch cadence, their access control practices, their incident response history, and their own supply chain dependencies. The mission covers software supply chain vetting (evaluating open-source libraries, build pipelines, and code signing practices), hardware supply chain vetting (assessing firmware integrity and component provenance), and cloud service provider vetting (evaluating shared-responsibility model compliance and configuration baselines).
Supply chain security vetting operates as a continuous cycle rather than a one-time gate. The mechanics break into five operational phases: inventory and tiering, initial assessment, contractual security obligations, continuous monitoring, and incident response integration.
Phase 1: Inventory and Tiering
Before any assessment can occur, the organization must know who its suppliers are and what access each supplier holds. This sounds obvious, but most organizations discover shadow IT vendors during this phase: SaaS tools purchased by individual departments, API integrations approved informally, and legacy service contracts that predate current security governance. The output of this phase is a vendor inventory with each supplier assigned a risk tier based on data sensitivity, system access depth, and operational criticality.
A practical tiering model uses three levels. Tier 1 suppliers have direct access to sensitive data, production systems, or identity infrastructure. These receive full technical assessments including penetration test evidence review, SOC 2 Type II report analysis, and live configuration verification. Tier 2 suppliers have indirect access or process non-sensitive organizational data. These receive questionnaire-based assessments validated against available threat intelligence and public breach history. Tier 3 suppliers have no system access and handle only publicly available information. These receive lightweight annual attestation reviews.
Phase 2: Initial Assessment
For Tier 1 suppliers, initial assessment includes requesting and reviewing third-party audit reports (SOC 2 Type II, ISO 27001 certification, or equivalent), issuing a structured security questionnaire mapped to a recognized control framework such as the CIS Controls or NIST SP 800-161, and scheduling a technical call to validate questionnaire responses against observable evidence. Security teams should request network architecture diagrams, data flow documentation, and evidence of vulnerability management practices including mean time to patch for critical CVEs.
For a concrete example: an organization onboarding a new HR information system vendor would request the vendor's most recent SOC 2 Type II report and review the auditor's exceptions section carefully. The security team would cross-reference the vendor's stated patch cadence against the vendor's public CVE history using the National Vulnerability Database. If the vendor claims a 30-day patch window for critical vulnerabilities but has three CVEs older than 90 days unpatched in their disclosed infrastructure, that discrepancy becomes a contractual negotiation point or a disqualifying finding depending on the organization's risk tolerance.
For Tier 2 suppliers, assessment includes issuing a streamlined questionnaire focused on critical controls: data encryption at rest and in transit, access control mechanisms, backup and recovery procedures, and incident response contact information. The organization validates responses against publicly available information: DNS records, certificate transparency logs, and any disclosed security certifications or audit results.
Phase 3: Contractual Security Obligations
Assessment findings translate directly into contract requirements. Security addenda should specify minimum security control baselines, mandatory breach notification timelines (72 hours is a common standard derived from GDPR requirements), the right to audit, and requirements for the supplier to disclose their own critical fourth-party dependencies. Without contractual teeth, assessment findings are merely advisory.
Critical contract clauses include security incident notification requirements that specify what constitutes a reportable incident and establish communication channels and escalation procedures. The organization should reserve the right to conduct or commission security assessments, including the right to review audit reports and security test results. Data handling requirements must specify encryption standards, data residency constraints, and secure disposal procedures for when the relationship terminates.
Phase 4: Continuous Monitoring
Initial assessment is a point-in-time snapshot. Supplier security posture degrades, gets acquired, loses key security staff, or suffers breaches that may not be publicly disclosed immediately. Continuous monitoring uses several inputs: attack surface monitoring tools that scan supplier-facing infrastructure for newly exposed services or certificate issues; threat intelligence feeds that flag when a supplier's domains or IP ranges appear in breach data or dark web markets; and periodic re-assessment on a cadence proportional to tier (annual for Tier 3, semi-annual for Tier 2, quarterly or continuous for Tier 1).
A real-world scenario: a financial services firm using a Tier 1 payment processing vendor detects through their attack surface monitoring tool that the vendor has exposed a remote desktop protocol (RDP) service on a previously closed port. The security team issues a formal notification to the vendor, requires remediation within 48 hours, and escalates to their vendor relationship manager if the vendor does not respond. This proactive detection prevents waiting for the vendor to self-report a breach that may have originated through that exposed service.
Attack surface monitoring tools like Shodan, SecurityScorecard, or RiskRecon can automate detection of certificate expirations, newly exposed services, DNS changes, and IP reputation issues across vendor infrastructure. Threat intelligence platforms can monitor for vendor domain names or employee credentials appearing in breach databases or dark web marketplaces.
Phase 5: Incident Response Integration
Supplier incidents must trigger internal response procedures. If a Tier 1 vendor reports a breach, the organization should have a pre-built runbook that covers: immediate access suspension or enhanced monitoring of vendor accounts, forensic review of logs for anomalous activity originating from vendor credentials, customer and regulatory notification assessment, and expedited procurement of an alternative supplier if continuity is at risk.
The incident response plan should include communication templates for notifying customers and regulators about vendor-originated incidents, decision trees for determining whether to suspend vendor access immediately or implement enhanced monitoring, and procedures for collecting and preserving forensic evidence that may be needed for insurance claims or legal proceedings.
Organizations that treat third-party security vetting as a checkbox exercise rather than a continuous program have produced some of the most consequential security incidents of the past decade. The 2020 SolarWinds compromise is the defining case: attackers inserted malicious code into a routine software update, which was then distributed to approximately 18,000 customers including multiple United States federal agencies. The organizations affected had accepted SolarWinds software as trusted without continuous monitoring of the behavioral baseline of that software in their environments. The breach persisted for months precisely because supply chain trust was assumed rather than verified.
The 2021 Kaseya ransomware attack follows the same pattern. Attackers compromised the managed service provider's remote monitoring and management platform and deployed ransomware to approximately 1,500 downstream organizations through trusted software distribution channels. The 2019 Capital One breach originated through a misconfigured web application firewall managed by Amazon Web Services, demonstrating that even hyperscale cloud providers can introduce risk through configuration errors or service vulnerabilities.
A common misconception is that requiring suppliers to complete an annual security questionnaire constitutes a vetting program. Questionnaires are self-reported, rarely validated, and static. They do not detect the vendor who was compliant at questionnaire time and suffered a breach six weeks later. Another misconception is that supplier SOC 2 certification guarantees security. SOC 2 certification confirms that a set of controls existed and operated effectively during a defined audit period. It does not confirm that those controls remain effective, that the audit scope covered all relevant systems, or that the vendor's fourth-party dependencies are secure.
The business impact of inadequate supply chain vetting extends beyond breach costs. Regulators including the U.S. Securities and Exchange Commission, the European Banking Authority, and sector-specific bodies like HIPAA enforcement agencies have all issued guidance making clear that organizations bear responsibility for the data protection practices of their vendors. A breach originating from an unvetted supplier does not transfer regulatory liability to that supplier; the primary organization retains accountability to affected individuals and regulators.
Operational disruption compounds the financial impact. When a critical managed service provider goes offline due to a ransomware attack, every client that built no resilience into its vendor management program faces simultaneous service degradation. The 2022 Okta breach affected hundreds of downstream customers who had implemented single sign-on without building alternative authentication mechanisms.
Within the Planetary Defense Model, supply chain security vetting is executed as a continuous mission under the SPH domain through the Autonomous Posture Command (APC) methodology. The APC principle is straightforward: your posture adapts, your hygiene never sleeps. This means that vendor monitoring is not a quarterly report generated by an analyst; it is an automated, always-on signal layer that feeds into the organization's broader security posture picture.
CDA structures this mission around three operational pillars that distinguish it from conventional vendor risk management programs. The first pillar is evidence-based tiering rather than relationship-based tiering. Many organizations inadvertently assign lower scrutiny to long-standing vendors because familiarity breeds assumed trustworthiness. CDA's approach enforces objective tiering criteria based on current access levels and current data exposure, not historical relationship length. A vendor that has been a partner for a decade but was recently granted production database access moves to Tier 1 automatically, regardless of relationship history.
The second pillar is machine-speed monitoring integrated with human decision authority. CDA uses attack surface management tooling and threat intelligence correlation to flag supplier anomalies in near real-time. Analysts do not spend cycles on scheduled report generation; they respond to prioritized signals. When a supplier's certificate expires or a new subdomain appears on their infrastructure that resolves to a suspicious IP range, the analyst receives an actionable alert with context, not a spreadsheet to review next quarter.
The third pillar is offboarding as a security event. Most vendor management programs focus on onboarding. CDA treats offboarding with equal rigor: credential revocation is verified rather than assumed, API keys are rotated, access logs are reviewed for any anomalous activity in the final 30 days of the relationship, and a formal closure record is created. This discipline prevents the persistent-access problem where terminated vendor relationships leave active credentials in production environments for months or years.
CDA also requires that SPH-D03 execution connects directly to the organization's incident response plan, so that a supplier breach triggers an immediate internal response sequence rather than waiting for the supplier to provide complete information about the scope and impact of their incident.