Secure Supply Chain

Securing the supply chain is critical to protecting software and hardware from cyber threats.

Modern ecosystems rely on third-party components, open-source libraries, and global suppliers, making them vulnerable to supply chain attacks. Securing the supply chain is essential for building reliable and trustworthy products.

Developers and manufacturers must ensure their products and their suppliers comply with CRA. Educated buyers will check the whole supply chain of your product and will demand strictly monitoring the integrity of each part.

This guide helps you to verify the security of your supply chain and to comply with CRA requirements.

Secure Supply Chain

Overview and key principles of secure supply chain for learning and understanding.

Tools and Technologies

Identify tools, technologies, and resources that can be effectively integrated into your product.

Education and Awareness

Discover resources to enhance your knowledge of secure supply chain.

Compliance and Standards

Explore resources to understand compliance and standards in secure supply chain.

Understanding Secure Supply Chain

A supply chain involves managing the flow of materials, components and information throughout every stage of production—from raw materials like metals and plastics to the finished product, including chips and software. It refers to the interconnected network of organizations, information and resources involved in the production and delivery of a product (or service). It spans the entire process, from sourcing raw materials and manufacturing components to assembly, distribution, storage and final delivery.

Supply chain security is not just about protecting individual components. It is about understanding the deep interdependencies across industries. A security breach in one sector can trigger a domino effect, impacting multiple industries that rely on interconnected supply chains. For example, a vulnerability in semiconductor manufacturing could disrupt the automotive, electronics and healthcare sectors, underscoring the need for stronger partnerships and cross-industry information sharing.

Why is a Secure Supply Chain needed?

As technology advances, supply chains have grown more complex, making them potential targets for cyber threats. Each link in the supply chain is a potential entry point for risks, making it crucial to integrate cybersecurity measures at every level.

A secure supply chain is essential for several key reasons:

Protection against cyber threats: Vulnerabilities within any component can compromise the integrity of the entire system
Business continuity: Disruptions caused by cyber incidents, geopolitical conflicts, or supplier failures can halt production and impact revenue
Regulatory compliance: Adhering to frameworks such as the CRA ensures products meet rigorous security standards
Global trade compliance: Regulations, such as the FCC’s restrictions on specific suppliers (Chinese manufacturers)
Consumer trust: A strong commitment to security and sustainability enhances brand reputation and fosters customer loyalty
Product integrity and quality assurance: Counterfeit or compromised components can lead to defective products, recalls, and reputational damage.
Sustainability requirements: Organizations must align with global initiatives, such as the United Nations Sustainable Development Goals (SDGs) - a framework of 17 objectives addressing social, economic and environmental challenges or the European Green Deal, the EU’s strategic plan to achieve climate neutrality by 2050

Without robust cybersecurity measures, an exploit in a single component can compromise an entire system, leading to data breaches, operational disruptions and legal consequences. Under the CRA, manufacturers and software vendors are held liable for ensuring the security of their products throughout their complete lifecycle. This means they must not only secure their own codebase but also verify the integrity of third-party dependencies. For instance, the SolarWinds attack demonstrated how a compromised software update can lead to widespread infiltration across enterprises and government agencies. To reduce liability risks, developers must implement strict vetting processes, SBOM (Software Bill of Materials) management and real-time vulnerability monitoring to detect and mitigate potential threats.

Other Supply Chain Attacks examples are Malicious Packages on PyPI, MOVEit Supply Chain Attack, 3CXDesktop Supply Chain Attack, Ripple20 vulnerability, and the Kaseya Attack

Industry best practices for a Secure Supply Chain

To protect the software Supply Chain, developers and organizations must adopt industry best practices that ensure resilience. These include:

Zero Trust Security Model: Implementing Zero Trust principles, ensuring that every component and user is continuously verified before accessing critical systems
Supply Chain Risk Management: Evaluate and monitor suppliers, contractors, and third-party vendors for security risks. This includes conducting security audits and vetting the cybersecurity practices of your suppliers
Third-Party Component Security: Ensure that any third-party hardware or software incorporated into your products complies with the CRA’s security standards, and work with vendors to resolve vulnerabilities
Continuous Monitoring and Threat Intelligence: Leveraging threat intelligence feeds, vulnerability databases (CVE/NVD), and automated monitoring tools to proactively detect threats
Code Integrity and Digital Signing: Using Sigstore and cryptographic signing to ensure software integrity and prevent tampering.
Third-Party Risk Management: Establishing supplier security assessments and ensuring that vendors follow robust security practices, such as ISO 27001, NIST, and ENISA guidelines
Regular Security Audits and Penetration Testing: Conducting third-party audits, red team exercises and penetration tests to identify potential weaknesses before attackers exploit them

With the implementation of these best practices, developers and organizations can strengthen their security posture, reduce liability risks and comply with the CRA's stringent supply chain security requirements.

Top 4 Supply Chain risks

Third-Party Vendor Risk: Dependence on third-party vendors may lead to vulnerabilities, as they may not prioritize security
Data Integrity Risk: Ensuring data security in the supply chain is critical, particularly with third-party integrations
Digital Risk: Increased digital solutions introduce multiple potential entry points for cybercriminals
Supplier Fraud: Cybercriminals impersonate legitimate retailers through social engineering techniques, phishing or AI-generated content to steal sensitive information or intellectual property

Compliance and Standards

To achieve compliance, organizations must document and maintain evidence of their security measures, fostering accountability and trust with customers, regulators and partners. Failure to comply can lead to regulatory penalties, legal liabilities and increased cybersecurity risks.

Leverage industry standards like:

European Supply Chain Act: The EU Supply Chain Act, also known as the EU Due Diligence Regulation. It promotes sustainability responsible business practices with supply chains
NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
ISO/IEC 28000: A standard for managing security risks in supply chains
ISO/IEC 27001: Information Security Management System (ISMS)
ISO/SAE 21434: Cybersecurity for automotive systems.
NIST Cybersecurity Framework (CSF): Risk management and vulnerability handling
IEC 62443: Security for industrial automation and control systems
Cybersecurity Maturity Model Certification (CMMC): Program for US defense contractors

Education and Awareness

An often-overlooked factor is the role of cyber insurance. While it provides financial protection against cyber incidents, insurers now require firms to demonstrate robust security measures before offering coverage. This not only strengthens risk management but also creates a potential competitive advantage for companies that prioritize cybersecurity. Additionally, the human element remains a critical yet underestimated factor in supply chain security. Insider threats—often due to insufficient training or awareness—can open the door to cyberattacks. Cultivating a strong security culture strengthens organizational resilience. Given the complexity of modern supply chains, supply chain mapping is essential for identifying hidden vulnerabilities and understanding component interdependencies.

Tools and Technologies

Tools

Vendor Risk Management Platforms: Tools like or help assess third-party cybersecurity risks. Tools like OpenSCAP (automated compliance evaluation), Prevalent (automates third-party risk assessments) BitSight (provides real-time risk ratings)
Actionable Insight: Tools like Graph for Understanding Artifact Composition (GUAC) (provide insight in supply chain data)
Risk Management Software: Tools like JFrog Xray (scans security flaws in software), RSA Archer (tracks compliance, industry standards and internal policies) and LogicManager (streamlines risk management into tasks)
Supply Chain Monitoring: Solutions such as Resilinc (AI-driven monitoring of supply chain data) and Everstream Analytics (AI tool providing predictive insights)
Compliance Management: Tools like ComplyAdvantage (AI-driven fraud and ML risk detection)
Dependency Tools: OWASP Dependency Check, Snyk (identifies open source software vulnerabilities) and Trivy (Vulnerability scanner for containers and artifacts)
CISA provides a Supply Chain Risk Management Toolkit holding frameworks and best practices.

A CRA Vendor Checklist helps organizations to ensure their vendors comply with CRA requirements, reducing cybersecurity risks in the supply chain.

1. General Compliance

The Partner shall adhere to all applicable laws, regulations, and standards, including the Cyber Resilience Act (CRA) and associated harmonized standards, such as ETSI EN 303 645.
The Partner shall demonstrate ongoing compliance through documented evidence and certifications as required by regulatory authorities.

2. Secure Development and Production

The Partner agrees to adopt secure-by-design principles throughout the development and production processes, including:
- Ensuring unique, non-default credentials for components.
- Applying encryption to protect sensitive data in transit and at rest.
- Reducing unnecessary functionality to minimize attack surfaces.

3. Cybersecurity Risk Management

The Partner shall implement a cybersecurity risk management framework, including regular assessments of potential threats and vulnerabilities within the supply chain.
The Partner agrees to report identified risks and collaborate with the Buyer to mitigate them effectively.

4. Vulnerability Management

The Partner shall:
- Conduct regular vulnerability testing on supplied components or software.
- Notify the Buyer within 48 hours of identifying vulnerabilities that could impact compliance or security.
- Address critical vulnerabilities within an agreed timeframe (e.g., 15 business days).

5. Software Bill of Materials (SBOM)

The Partner shall provide an SBOM for each supplied component, detailing:
- A list of software components, versions, and origins.
- Known vulnerabilities linked to any component or library included.
The SBOM must be updated as components are modified or updated during the lifecycle of the product.

6. Incident Reporting and Response

The Partner agrees to notify the Buyer of any actual or suspected cybersecurity incidents within 24 hours of detection.
A root cause analysis and remediation plan must be submitted within five (5) business days of the incident notification.

7. Third-Party Compliance

The Partner shall ensure that any subcontractors or third parties engaged comply with CRA-aligned security requirements.
The Partner agrees to flow down these security obligations to all relevant third parties and provide proof of compliance upon request.

8. Documentation and Technical Files

The Partner shall maintain and provide the following documentation:
- Evidence of compliance with harmonized standards and CRA requirements.
- Certificates from accredited testing laboratories as applicable.
- Vulnerability reports, testing results, and declarations of conformity.

9. Audit and Assessment Rights

The Buyer reserves the right to perform cybersecurity audits and assessments of the Partner’s processes and components to verify compliance with CRA requirements.
The Partner agrees to accommodate such audits within reasonable notice and provide all necessary records.

10. Security Training

The Partner shall ensure that all personnel involved in the design, production, or maintenance of components receive adequate training on cybersecurity practices and CRA requirements.

11. Termination for Non-Compliance

The Buyer may terminate the agreement if the Partner fails to meet the CRA-aligned security requirements and does not resolve identified issues within 30 business days of notice.

12. Indemnification and Liability

The Partner agrees to indemnify and hold the Buyer harmless for any losses, damages, or penalties resulting from non-compliance with CRA-aligned requirements or cybersecurity incidents originating from the Partner’s components.

Signature Section
By signing below, both parties agree to the terms and conditions set forth in this agreement:

Partner:
Name: ____________________
Title: ____________________
Date: ____________________

Buyer:
Name: ____________________
Title: ____________________
Date: ____________________