Supply Chain Risk Management (SCRM)

Mitigating risk across hardware, software, cloud services, and third-party ecosystems

Supply chain risk now extends beyond hardware and on-premises software. Organizations rely on cloud service providers, SaaS platforms, managed service providers, and their subprocessors. Compromise of any upstream dependency can affect your environment, often through legitimate channels like APIs and delegated access.

NIST SP 800-161 Rev. 1 Update 1 provides a thorough, multilevel approach for integrating C-SCRM into enterprise risk management and system lifecycle. The FDIC OIG’s evaluation of the SCRM program reveals real-world gaps, including missing risk assessments and a lack of monitoring metrics.

To address these evolving risks, this article provides three key takeaways. Before outlining these points, it is important to understand the recent changes affecting supply chain security and their impact on organizational risk management.

Why the Supply Chain Has Changed

Historically, supply chain assurance covered shipment integrity, counterfeit detection, and software verification. Now, many critical suppliers only provide digital services. Organizations inherit risk from cloud services, SaaS applications, and subcontracted dependencies, such as data centers, support vendors, analytics providers, and integration partners.

This shift increases the odds that attackers succeed through account- or token-level abuse rather than traditional vulnerabilities. Recent incidents mainly target data exfiltration, enabled by stolen credentials, OAuth tokens, or trusted integrations.

With this evolution in mind, it’s crucial to clarify what is meant by Supply Chain Risk Management and how it relates to current threat scenarios.

Supply Chain Risk Management (SCRM) is the process of identifying, assessing, mitigating, and monitoring risks introduced by external parties—such as suppliers, contractors, component providers, and service vendors—throughout the lifecycle of products and services.

Key Supply Chain Risks to Address

Unauthorized third-party purchasing (eBay, marketplace sellers, gray market)

Buying equipment or components from unofficial sources can expose you to counterfeit, tampered, used-as-new, or misconfigured items with an unknown chain of custody. NIST defines a “secondary market” as an unauthorized or unintended distribution channel. When purchasing from unauthorized sources, NIST recommends conducting a risk assessment and implementing mitigations, such as checking for a counterfeit history or warning signs.

Cloud providers, SaaS platforms, and subprocessors

CSPs and SaaS providers are key components of the supply chain, and their subprocessors and integrations introduce additional risk. SCRM must address multi-tier dependencies—encompassing providers, subprocessors, and integrated applications—and apply risk-based controls to each.

Data exfiltration as a primary objective

Many supply chain attacks target data theft. Attackers with delegated access via OAuth apps, API keys, service accounts, or admin consoles can appear as legitimate users. Effective detection requires strong monitoring of bulk exports, anomalous API usage, and unusual app behavior, especially in high-value SaaS tools such as CRM platforms.

A Practical Blueprint: NIST SP 800-161 Rev. 1 Update 1

NIST SP 800-161 Rev. 1 Update 1 provides guidance for integrating cybersecurity supply chain risk management (C‑SCRM) into risk management activities using a multilevel approach:

• Enterprise level: strategy, policy, governance, and implementation planning.
• Mission and business process level: tailored processes aligned to critical workflows and priorities.
• Operational/system level: system-level C‑SCRM plans and controls embedded in engineering, procurement, and operations.

NIST also advises acquiring parts from OEMs and authorized distributors and treating secondary-market purchases as risk decisions, requiring risk assessment and mitigation.

Implementation Lessons: FDIC OIG Evaluation

The FDIC OIG evaluation highlights gaps in SCRM maturity, including counterfeit hardware risk and reliance on unqualified providers, emphasizing the need to document risks, assess procurement, and establish monitoring metrics.

The report specifically recommends conducting supply chain risk assessments that consider suppliers, subcontractors, part and material origins, and third-party suppliers during the procurement process. It links missing monitoring metrics to greater risks from counterfeit parts or malicious code.

A robust SCRM program encompasses governance, disciplined procurement, and robust technical controls. Emphasize defining roles, maintaining key supplier inventories, sourcing through authorized channels, embedding security in contracts, validating hardware, managing integrations, and monitoring for data exfiltration.

• Governance and ownership: Define roles, decision rights, and escalation paths; align SCRM with enterprise risk management.
• Supplier and Subprocessor Visibility: Maintain an inventory of critical providers, key subcontractors, and high-risk integrations.
• Authorized Sourcing Controls: For critical assets, require OEM/authorized channels; implement a documented exception process for emergency situations.
• Contractual requirements: Flow down security obligations, incident notification timelines, audit/assurance expectations, and subprocessor obligations.
• Receiving and acceptance checks: Quarantine and validate high-risk hardware before deployment; verify provenance where feasible.
• Integration governance (SaaS/OAuth): Inventory connected apps, enforce least privilege, and routinely review permissions and token use.
• Monitoring for exfiltration: Detect bulk exports, anomalous API calls, unusual admin actions, and suspicious third-party app behavior in key SaaS environments.

Illustrative Incidents

Salesforce ecosystem incidents (third-party OAuth integrations)

Google Threat Intelligence Group described a widespread campaign targeting Salesforce customer instances via compromised OAuth tokens associated with a third-party application (Salesloft Drift), resulting in systematic data theft from affected environments [3]. Salesforce also investigated unauthorized access involving third-party applications published by Gainsight, underscoring the risk of trusted ecosystem integrations [4].

NordVPN third-party data center compromise

NordVPN publicly attributed an incident to unauthorized access linked to a third-party data center provider hosting one of its servers, highlighting how subprocessor and infrastructure dependencies can introduce exposure even when the core service is not directly exploited [5].

How DataComm Can Help

DataComm helps organizations implement SCRM without creating procurement or delivery bottlenecks. We offer support with:

• SCRM maturity and gap assessment: Benchmark current practices against NIST SP 800-161 and prioritize improvements around your most critical suppliers and systems.
• Program design and governance: Define the operating model, roles, policies, and reporting needed to sustain SCRM across the enterprise.
• Procurement and contract integration: Embed supply chain security requirements into sourcing workflows and contract language, including subprocessor expectations.
• Cloud/SaaS integration hardening: Reduce OAuth and connected-app risk through inventory, approval workflows, least-privilege patterns, and token hygiene.
• Detection and response for data exfiltration: Implement monitoring, alerting, and playbooks focused on bulk export and anomalous API activity in key SaaS platforms.

Frequently Asked Questions (FAQ)

Is SCRM the same as vendor risk management (VRM)?

VRM is a component of SCRM. SCRM also covers sub-suppliers, components, logistics, cloud dependencies, subprocessors, and lifecycle risks.

Is it safe to buy IT equipment from Amazon Marketplace or eBay?

For low-impact items, purchasing from these channels may be acceptable; however, it increases the risk to critical infrastructure. NIST classifies unofficial channels as a “secondary market” and recommends authorized sourcing when possible. If secondary-market purchasing is unavoidable, conduct a risk assessment and implement additional mitigations [1].

How do CSPs and subprocessors change SCRM?

They introduce multi-tier dependency risk. Your provider’s data centers, support vendors, and integrated applications can create indirect pathways to your data.

Why do supply-chain attackers focus on exfiltration?

Data theft can be immediately monetized and may enable further compromise. When attackers gain delegated access through trusted applications or tokens, they can export data using standard APIs and administrative functions, making detection more difficult [3][4].

Where should we start?

Key takeaways: Begin by establishing governance, decision rights, and a risk-based inventory of suppliers. Integrate SCRM into procurement activities and ensure ongoing monitoring of your highest-risk dependencies.

Call to Action

If your organization relies on SaaS platforms, cloud infrastructure, managed services, or complex hardware supply chains, consider supply chain risk a business-critical issue. The most effective mitigation is an executive-led SCRM assessment, guided by NIST, with a prioritized roadmap targeting your highest-value data and most critical suppliers. Start with a focused, 2–4 week SCRM maturity assessment to produce: (1) a verified inventory of critical suppliers and subprocessors, (2) a risk-ranked controls improvement plan, and (3) procurement and integration guardrails to reduce your most substantial risks.

References

1. [1] NIST. “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST SP 800-161 Rev. 1 Update 1).” NIST, May 2022 (includes updates as of Nov. 1, 2024). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-upd1.pdf
2. [2] Federal Deposit Insurance Corporation, Office of Inspector General. “The FDIC’s Implementation of Supply Chain Risk Management (EVAL-22-003).” March 1, 2022. https://www.fdicoig.gov/sites/default/files/reports/2022-08/EVAL-22-003-Corrected_0.pdf
3. [3] Google Cloud. “Widespread Data Theft Targets Salesforce Instances via Salesloft Drift.” (Google Threat Intelligence Group). Published 2025. https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift/
4. [4] Reuters. “Salesforce says customer data possibly exposed following incident.” Published Nov. 21, 2025. https://www.reuters.com/technology/salesforce-says-customer-data-possibly-exposed-following-incident-2025-11-21/
5. [5] NordVPN. “Why the NordVPN network is safe after a third-party provider breach (official response).” Published 2019. https://nordvpn.com/blog/official-response-datacenter-breach/