Vendor & Supply Chain Cyber Risk Management
Your vendor's risk is your risk.
Attacks can occur at every link in a typical software supply chain, and these kinds of attacks are increasingly public, disruptive, and costly. Being able to see all levels of vulnerability within the supply chain — especially cyber risks — is critical to the success of your business.
With our recent acquisition of Ion Channel, Exiger is the first and only technology company to illuminate every dimension of the supply chain, such as third-party suppliers, vendors, physical products, and software, including SBOM analysis.
Defining Cyber Supply Chain Risk Management (C-SCRM)
C-SCRM focuses on identifying suppliers, hardware and software in an organization’s ecosystem, then assessing their dependencies, and mitigating the vulnerabilities among them.
A growing list of U.S. federal regulations, like EO 14028, require agencies and the companies supporting them to improve their software vetting capabilities.
A key challenge in C-SCRM is knowing where to start. With hundreds of types of software, thousands of suppliers and tens of thousands of pieces of hardware, it’s hard to identify where to make a meaningful, measurable reduction in cyber risk within the supply chain.
“C-SCRM involves identifying, assessing and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains.
It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.”
The National Institute of Standards and Technology (NIST)
Addressing Cyber Vulnerabilities in Your Supplier Ecosystem
An effective risk management program depends on knowing the cyber risk that a critical third party presents to your organization’s systems. To assess supply chain risk, organizations need information from — and about — each link in the chain, including software.
Complex interdependencies make it nearly impossible to ensure the security of all components and contributors to supply chain. There are several challenges: Using tools that only assess “known vulnerabilities” will miss key supply chain risk events. It is inadequate to only identify the hidden risks that lurk when you inherit, purchase or outsource software capabilities. Another major source of unknown risks is open source software, which, on average, accounts for 75% of codebases.
Third-party exposure is not your fault, but it is your problem.
“From entities to software to raw materials, Exiger’s technology now covers all potential product risk so our customers can regain control of their supply chains”
Brandon Daniels
A Holistic View of C-SCRM Is Needed
Supplier Risk
- Poor maintenance
- Single point of failure
- Geopolitical risk
- Adversarial control
Code Risk
Prohibited components
Technical debt
Software vulnerabilities
Compromised tool chain
Counterfeit risk
Undeclared package or container inclusions
Ecosystem Risk
Dubious provenance
Abandoned code
Components transferred to new entities
Geographic concentration
Time to remediation
Operational Risk
- Integration/interoperability
- Supply chain fragility
- End-of-life
- License risk
Illuminate Cyber Risk in Your Entire Supply Chain
Exiger offers a systematic identification of cyber risks to and through the supply chain, prioritization of potential impact analysis, illumination of ecosystem and continuous monitoring of risk exposure. Capabilities encompass the security trust architecture, digital supply chain and cyber-physical systems:
- Product provenance
- Third-party prioritization
- Resilient ecosystem design
You can also easily monitor risk over time to ensure continuity and compliance with mandates like Executive Order 14028, CISA’s Software Bill of Materials (SBOM) guidance, CMMC, PCI SSC, and NIST.
The Exiger FedRAMP SaaS Platform
The technology is built on our experience uncovering risk in business relationships and understanding the core risk factors that might make a particular software, hardware or service untrustworthy – months in advance of known vulnerabilities.
Component events tracked daily
Supply chain installation source records
Unique Supply Chains
Legal Entities Accessibile
Leading risk indicators
Exiger Cyber Solutions Help You:
Manage, recognize, surface and mitigate cyber risk with real-time threat and vulnerability analysis
Conduct third, fourth, and fifth-party cyber risk assessments across IT vendor hardware and software supply chains
Continuously monitor for cyber risk and auto-generate alerts and breach flags
Explore identified risks with unique data sets and visualizations
Identify and detect where you need to mitigate first and fast
Streamlined workflow management and automated questionnaire capabilities
Supply Chain Explorer
Single-Click Supply Chain Due Diligence
Ion Channel
Enrich Software Inventories, Manifests and SBOMs with Supply Chain Intelligence and Proprietary Analytics
DDIQ Analytics
Organize, Scrutinize, Visualize & Operationalize Risk Information
Insight 3PM
Power your Onboarding Program with Exiger’s Risk Management Workflow Technology
Related C-SCRM Resources
CSO
Top Cybersecurity M&A Deals For 2023
CNN
Millions of Americans’ Personal Data Exposed in Global Hack
Press Release
Exiger Selected as Government-Wide Enterprise Supply Chain and Third-Party Risk Management Platform
Webinar
Managing Cyber Complexities in Supply Chain Risk Management
Press Release
Exiger Acquires Industry-Leading Software Supply Chain and SBOM Management Platform Ion Channel
Perspectives
