Domain 1 of 8 · Chapter 11 of 12

Supply Chain Risk

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • What supply chain risk is and where it comes from
  • Mitigations: assess, monitor, contract, and root trust in hardware
  • Exam-pattern recognition

SCRM acquisition risks and their primary mitigations

Acquisition riskWhat it isPrimary mitigationWhy it works
CounterfeitA fake or unauthorized-production part passed off as genuineAuthorized resellers/provenance + PUF-based device identityA unique hardware identity and verified provenance expose a part that is not the genuine article
Tampering / malicious implantHidden malicious software or hardware inserted into a productHardware (silicon) root of trust + verified/secure bootA trusted in-chip element verifies firmware integrity and refuses or detects unauthorized change
Opaque software compositionUnknown vulnerable components buried in acquired softwareSoftware Bill of Materials (SBOM)An ingredient inventory lets you map a new CVE to affected products fast
Untrustworthy supplierA vendor with weak or degrading security postureThird-party assessment + continuous monitoringVerifying up front and watching over time catches a supplier whose risk rises after purchase
Unenforceable expectationsSecurity relied on but never agreedMinimum security requirements + SLAs + flow-down in the contractWritten, measurable obligations make supplier security auditable and enforceable, including sub-suppliers

Cheat sheet

  • You inherit your suppliers' risk the moment you deploy what you bought
  • Cite NIST SP 800-161 as the authoritative C-SCRM reference
  • Counterfeit, tampering, and malicious implants are the core acquisition risks
  • Perimeter controls miss supply-chain threats because they ship inside trusted components
  • Assess a supplier before you commit, but never treat it as a one-time gate
  • Continuous monitoring catches a supplier whose risk rises after you bought
  • The contract is your only enforceable leverage over a third party
  • Minimum security requirements set the baseline controls a supplier must meet
  • For SCRM, SLAs are security obligations with deadlines, not just uptime
  • Flow-down clauses push your requirements onto the supplier's sub-suppliers
  • A right-to-audit clause lets you verify compliance instead of trusting it
  • An SBOM is a machine-readable list of the components inside software
  • Know the seven NTIA SBOM data fields and the three standard formats
  • An SBOM gives transparency, not protection
  • A hardware root of trust anchors integrity that misbehaves silently if it fails
  • A silicon root of trust is the technical answer to firmware tampering and implants
  • A PUF gives each chip an unclonable fingerprint to fight counterfeiting
  • SCRM owns the supplier relationship; neighbors own staff and code testing
  • Prefer a SOC 2 Type 2 report and read its system-description scope
  • Know counterfeit component types and non-destructive detection methods

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Cybersecurity Supply Chain Risk Management (C-SCRM) Project Whitepaper
  2. NIST SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Whitepaper
  3. The Minimum Elements for a Software Bill of Materials (SBOM) Whitepaper
  4. NIST SP 800-193: Platform Firmware Resiliency Guidelines Whitepaper
  5. Security Design of the AWS Nitro System: The components of the Nitro System
  6. Microsoft Pluton security processor