Technology Portfolio Management (TPM) Best Practices

Overview

Technology supply chain risk encompasses the full range of risks created by the organization’s dependencies on third-party technology components, platforms, and services. It includes the open source supply chain risk addressed in the Open Source Governance subsection, but extends to commercial software supply chain risk, cloud provider supply chain risk, and hardware supply chain risk. Every technology the organization uses was built using components, tools, and infrastructure provided by entities the organization did not choose or evaluate directly. The security and integrity of those upstream dependencies is material to the security and integrity of the organization’s own technology landscape.

Best Practice

Govern technology supply chain risk across all Technologies Inventory types through three complementary disciplines. Component integrity verification: require evidence of the integrity of every technology component the organization installs or deploys, including software installers, firmware updates, hardware driver packages, and cloud service configurations, through cryptographic verification where available and through provenance documentation where cryptographic verification is not available. Vendor supply chain assessment: include technology vendor supply chain security practices as a component of the vendor health assessment for all significant technology vendors, evaluating whether vendors maintain SBOM for their products, whether they have a responsible disclosure program for security vulnerabilities in their supply chain, and whether they have experienced supply chain compromises and how they responded. Incident response preparation: maintain a supply chain incident response capability that defines how the organization identifies affected systems, isolates exposure, and remediates when a supply chain compromise in a technology the organization depends on is disclosed.

Benefit(s)

Technology supply chain risk governance reduces the organization’s exposure to one of the most consequential and least visible categories of technology security risk. Component integrity verification prevents the most direct supply chain attack vectors from reaching the organization’s systems. Vendor supply chain assessment creates incentives for technology vendors to improve their own supply chain security practices. And supply chain incident response preparation converts what is frequently a chaotic emergency response into a governed process that contains exposure and accelerates remediation.