Vendor & Supply Chain Risk · NIST C-SCRM · CISA Guidance

Your Vendors Are Your
Biggest Blind Spot

Most small business breaches don't start inside your network — they start at a vendor with access to it. Your payroll company, IT support firm, accounting software, and a dozen other third parties all hold keys to your systems. This tool helps you identify which ones carry the highest risk and what to do about it.

NIST SP 800-161r1 CISA C-SCRM FTC Safeguards Rule FBI IC3 2024
62%
Of breaches involve a third party
Verizon DBIR 2024 found that 62% of all breaches involved a business partner, vendor, or supply chain component. The target was never breached directly — their vendor was.
#1
MSP compromise = full network access
When a Managed Service Provider is compromised, attackers inherit every network they manage. FBI and CISA have issued multiple warnings specifically about MSP targeting by ransomware groups.
SolarWinds
Changed how we think about vendors
The 2020 SolarWinds attack compromised 18,000 organizations — including federal agencies — through a single software update from a trusted vendor. The same pattern repeats constantly at the SMB level.
IT Access & Managed Services
Managed Service Provider (MSP)
Critical Risk
Full remote admin access to your network
IT Support / Break-Fix Vendor
High Risk
Periodic access to systems and credentials
RMM Tool (ConnectWise, Kaseya, etc.)
Critical Risk
Agent on every device — prime ransomware pivot
Cloud Backup / Data Storage Vendor
High Risk
Holds copies of all your business data
Payments & Financial
Payroll Provider (ADP, Paychex, Gusto)
Critical Risk
SSNs, bank accounts, W-2s for all employees
Payment Processor / POS Vendor
Critical Risk
PCI DSS scope — handles cardholder data
Accounting Software (QuickBooks, Sage)
High Risk
Full financial records and banking connections
CPA / Accounting Firm
High Risk
Tax filings, financials, and banking credentials
Cloud & Productivity Platforms
Microsoft 365 / Azure
Critical Risk
Email, files, and identity for your entire org
Google Workspace
Critical Risk
Email, Drive, and identity management
Website Host / Developer / Agency
High Risk
Admin access to public-facing site and CMS
VPN / Remote Access Software
High Risk
Controls the gateway to your internal network
Professional Services
Law Firm (contracts, IP, litigation)
High Risk
Confidential records, IP, and deal strategy
HR Software / Benefits Platform
High Risk
Personal data and documents for all employees
Staffing / Temp Agency
Medium Risk
Temp workers may retain access after assignment ends
Insurance Broker / Benefits Admin
Medium Risk
Employee PII for benefits enrollment
Physical & Operational
HVAC / Building Systems Vendor
High Risk
Remote OT access — documented Volt Typhoon entry point
Security / Alarm Monitoring Company
High Risk
Network-connected cameras and access control
Shipping / Logistics Partner
Medium Risk
Customer data accessible via portal or API
Marketing / Email Platform
Medium Risk
Customer contact list and communication history
Sources: NIST SP 800-161r1 (C-SCRM) · CISA ICT Supply Chain Risk · FTC Safeguards Rule
Vendor Risk Score
0
out of 100
No vendors selected
Select vendors above
Check the vendors your business currently uses to see your exposure score and generate a custom action plan.
Ask Every Vendor
Six Questions Before You Trust a Vendor
NIST SP 800-161r1 recommends vetting every vendor with access to your systems or data. These six questions are the minimum baseline — sourced from CISA C-SCRM and FTC Safeguards Rule requirements.
Question 01
Do you have a SOC 2 Type II report or equivalent audit? Can I see it?
A SOC 2 Type II report means an independent auditor verified the vendor's security controls over a period of time, not just a snapshot. If they can't produce one, their security practices are unverified.
Critical
Question 02
Do all your staff who access my systems use multi-factor authentication?
MSPs and IT vendors are the #1 ransomware entry point specifically because attackers compromise vendor staff credentials. If the vendor doesn't require MFA on accounts with access to your systems, your network is only as secure as their weakest employee's password.
Critical
Question 03
How do you notify me if you experience a breach that may affect my data?
Most state laws require breach notification, but timelines vary. You need a written SLA in your contract — not a verbal promise. NIST SP 800-161r1 recommends contractually requiring notification within 72 hours, mirroring the GDPR standard.
High
Question 04
When you're done with a project or our contract ends, how is my data deleted?
Many vendors retain client data long after a relationship ends — sometimes indefinitely. This is a supply chain risk even after the vendor relationship is over. Get a written data deletion policy and ask for confirmation when access is terminated.
High
Question 05
Do you use subcontractors or third parties who will have access to my systems or data?
Nth-party risk — your vendor's vendors — is how major breaches like SolarWinds and MOVEit propagated. NIST SP 800-161r1 specifically addresses this. If your MSP outsources monitoring to another firm, that firm is also in your threat model.
High
Question 06
What is your minimum-privilege policy — does every technician get admin access, or only when needed?
Principle of least privilege is a core tenet of NIST and CISA guidance. If every vendor technician has standing admin credentials to your systems, a single compromised tech account gives an attacker everything. Access should be granted per-task and revoked immediately after.
High
Authoritative Sources
C-SCRM Guidance for Small Businesses
These are the primary government frameworks and guidance documents underpinning this tool.
NIST
SP 800-161r1 — Cybersecurity Supply Chain Risk Management
The definitive federal standard for C-SCRM. Revision 1 (2022) significantly expanded small business guidance, including vendor vetting checklists, contract language recommendations, and third-party assessment frameworks. Freely available.
NIST SP 800-161r1 ↗
CISA
ICT SCRM SMB Resource Hub
CISA's dedicated small business supply chain resource hub, including the SMB C-SCRM handbook, a vendor assessment template, and a practical 3-step roadmap for building a vendor risk program. Developed specifically for businesses without dedicated security staff.
CISA SMB Supply Chain Hub ↗
CISA / NSA / FBI
AA22-131A — Protecting Against Cyber Threats to MSPs
Five-country joint advisory (US, UK, Australia, Canada, New Zealand) specifically about MSP targeting by ransomware groups. Includes a checklist of questions to ask your IT vendor and contract language recommendations for MSP customers.
CISA AA22-131A ↗
FTC
Safeguards Rule — Third-Party Service Provider Requirements
The FTC Safeguards Rule (amended 2023) requires financial businesses — including CPA firms, tax preparers, mortgage brokers, and auto dealers — to contractually require security standards from their service providers. Non-compliance carries civil penalties.
FTC Safeguards Rule ↗

Want a Real Vendor Review?

Andrew will audit your actual vendor access controls, review your contracts for security gaps, and deliver a written C-SCRM report at no cost.

Book Your Free Assessment
No cost · No obligation · Franklin County PA · CISSP · SecurityX · GIAC GRID