KSI-RSC-MON—Monitoring Supply Chain Risk
Formerly KSI-TPR-04
>Control Description
>NIST 800-53 Controls
>Trust Center Components4
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express supply chain risk through automated vendor monitoring pipelines — VRM platforms continuously scoring third-party posture, SBOM analysis flagging dependency vulnerabilities, and dashboards surfacing PII sharing flags and risk tiers without manual compilation. The trust center becomes a live map of vendor dependencies and their associated risks.
Vendor Compliance Dashboard
Dashboard expressing vendor risk scores, compliance status, assessment cadence, and PII sharing flags across the supply chain
Critical Vendor Inventory
How the organization identifies and tracks critical vendors with their security posture, certifications, and data handling classification
Vendor Risk Management Program
How the organization assesses and monitors third-party risks — scope varies by vendor criticality and data sensitivity
Subprocessor List
Published and maintained list of subprocessors with change notification mechanism
>Programmatic Queries
CLI Commands
snyk monitor --all-projectssnyk monitor --all-projects --json | jq '.uri'>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your third-party software monitoring cover all dependency types — open-source libraries, commercial SDKs, container base images, OS packages, and cloud provider managed runtimes?
- •Are dependencies tracked across all languages, frameworks, and package managers used in your CSO (npm, pip, Maven, Go modules, Cargo, etc.)?
- •How do you ensure monitoring covers transitive (indirect) dependencies, not just direct dependencies listed in manifest files?
- •Are there third-party components where you rely solely on contractual notification rather than active monitoring, and how do you verify those notifications are timely?
Automation & Validation:
- •What automated SCA (Software Composition Analysis) tools monitor dependencies for vulnerabilities, and do they alert in near-real-time when new CVEs are published?
- •How quickly after a vulnerability is disclosed in a third-party component do you detect it in your environment, and what is your SLA for remediation?
- •What automated processes update or patch vulnerable dependencies — do you have automated dependency update PRs (Dependabot, Renovate)?
- •What happens if automated patching breaks a build or test — how is the failure detected and the update adjusted without leaving the vulnerability unpatched?
Inventory & Integration:
- •How do you generate and maintain SBOMs (Software Bill of Materials) for all deployed services, and in what format (SPDX, CycloneDX)?
- •How does your SCA tooling integrate with your CI/CD pipeline to block deployment of artifacts with known critical vulnerabilities?
- •What tools monitor the CISA KEV catalog and other exploit intelligence feeds to prioritize actively exploited third-party vulnerabilities?
- •How do SCA findings integrate with your vulnerability management system to ensure third-party findings are tracked alongside infrastructure findings?
Continuous Evidence & Schedules:
- •How do you demonstrate that third-party software monitoring has been continuous and effective over the past 90 days?
- •Is SBOM and dependency vulnerability data available via API for assessor review and FedRAMP consumption?
- •What evidence shows third-party vulnerabilities are detected and remediated within the same timelines required for first-party vulnerabilities?
- •How do you detect when monitoring coverage drops — for example, when a new repository or service is created without SCA integration?
Update History
Ask AI
Configure your API key to use AI features.