Supply Chain Risk
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- What supply chain risk is and where it comes from
- Mitigations: assess, monitor, contract, and root trust in hardware
- Exam-pattern recognition
SCRM acquisition risks and their primary mitigations
| Acquisition risk | What it is | Primary mitigation | Why it works |
|---|---|---|---|
| Counterfeit | A fake or unauthorized-production part passed off as genuine | Authorized resellers/provenance + PUF-based device identity | A unique hardware identity and verified provenance expose a part that is not the genuine article |
| Tampering / malicious implant | Hidden malicious software or hardware inserted into a product | Hardware (silicon) root of trust + verified/secure boot | A trusted in-chip element verifies firmware integrity and refuses or detects unauthorized change |
| Opaque software composition | Unknown vulnerable components buried in acquired software | Software Bill of Materials (SBOM) | An ingredient inventory lets you map a new CVE to affected products fast |
| Untrustworthy supplier | A vendor with weak or degrading security posture | Third-party assessment + continuous monitoring | Verifying up front and watching over time catches a supplier whose risk rises after purchase |
| Unenforceable expectations | Security relied on but never agreed | Minimum security requirements + SLAs + flow-down in the contract | Written, measurable obligations make supplier security auditable and enforceable, including sub-suppliers |
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- Cybersecurity Supply Chain Risk Management (C-SCRM) Project Whitepaper
- NIST SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Whitepaper
- The Minimum Elements for a Software Bill of Materials (SBOM) Whitepaper
- NIST SP 800-193: Platform Firmware Resiliency Guidelines Whitepaper
- Security Design of the AWS Nitro System: The components of the Nitro System
- Microsoft Pluton security processor