Execute Supply Chain Risk Management (SCRM) practices to assess, select, contract, monitor and manage trustworthy third parties for product and service delivery.
Organizations minimize security, compliance and resilience risks associated with third parties through due diligence, contractual safeguards, ongoing monitoring, performance management, contingency planning and exit strategies.
Supply chain risk has moved from theoretical concern to documented attack vector. The TPM domain governs the Supply Chain Risk Management (SCRM) practices that organizations use to assess, select, contract, monitor and manage third parties that deliver products and services. SolarWinds, Kaseya and similar incidents demonstrated that a trusted third party with deep access to customer environments is an attack path that bypasses most internal controls.
The SCF's intent for TPM covers due diligence, contractual safeguards, ongoing monitoring, performance management, contingency planning and exit strategies. That last item is significant. Most third-party management programs focus on assessment and contract negotiation; few plan for what happens when a vendor fails, is acquired by a hostile party, or becomes unreachable during an incident. Contingency planning and exit strategies are control requirements in the SCF, not optional maturity additions.
Third-party risk does not end when the contract is signed. Vendors change, their security postures change and the dependencies between their systems and yours change. TPM requires ongoing monitoring that continues throughout the relationship, not just initial assessment.