In late April 2025, a cyber attack brought Marks & Spencer’s, one of the UK’s largest retailers, to a standstill. It disrupted food distribution across 500 stores, suspended online shopping, compromised customer data, and cost an estimated $400 million or 30% of its operating profit. 

The attackers didn't exploit system weakness within Marks & Spencer’s core infrastructure. Instead, they used social engineering techniques on employees at a third-party contractor to gain access to the retail giant.

Recent cyber attacks like this prove that supply chain risk assessments are no longer optional compliance exercises. They're operational necessities. Organizations today have sprawling supply chains and need a systematic way to evaluate which relationships introduce acceptable risk and which ones create potential points of failure that must be addressed.

This guide breaks down what supply chain risk assessment actually involves, when organizations get it wrong, and how to build an assessment process that catches vulnerabilities before they turn into major breaches.

What is a supply chain risk assessment?

A supply chain risk assessment is the structured process for identifying, analyzing, and evaluating potential threats, vulnerabilities, and impacts introduced by any part of your supply chain. This includes third-party suppliers, vendors, contractors, service providers, and components, such as hardware or open-source software. 

This assessment answers three critical questions:

1. What risks does this part of the supply chain introduce? (identification)
2. How likely and severe are these risks? (analysis)
3. Can we accept, mitigate, or avoid these risks? (evaluation)

Assessment is a key step in the broader supply chain risk management process and must be completed before you can create and implement mitigation strategies.

How is it different from a vendor risk assessment?

Unlike general vendor due diligence, supply chain risk assessment specifically focuses on understanding how dependencies on external entities or components could compromise the confidentiality, integrity, or availability of your systems, data, and operations.

This isn’t just risks introduced by the vendors or service providers your organization contracts with directly. 

This includes:

• Third parties: Direct suppliers, vendors, contractors, or service providers
• Fourth parties: Suppliers' suppliers
• Supplier interdependencies: Mutual dependencies between suppliers that can affect cost control, product delivery, and more
• Supply chain integrity: Authenticity of components and products throughout the supply chain
• Systemic risks: Geopolitical instability, disasters, economic volatility, and cyber threats that often collide and trigger a supply chain crisis

In other words, vendor risk management is a subset of supply chain risk management. Supply chain risk assessment is therefore more complex and requires evaluating both direct vendor relationships and the broader supply chain context those relationships exist within. This is increasingly important and difficult. 

Why supply chain risk assessments are so important in 2026, according to recent data

Marks & Spencer’s third-party breach wasn’t an isolated incident. According to SecurityScorecard's 2025 Supply Chain Cybersecurity report, 88% of security leaders are now concerned about supply chain cyber risks and for good reason. More than 70% reported at least one material third-party cybersecurity incident in the past year. 

The most common third-party risk event? A cyber attack or data breach, according to nearly half (43%) of enterprise risk managers in Forrester's 2025 Business Risk Survey. A data breach or other security incident due to poor vendor security practices was also the number one concern (36%) of risk professionals in the 2025 Mitratech Third-Party Risk Management (TPRM) Study.

Meaning, despite heightened concern and awareness of the risks their own supply chain poses, most organizations are experiencing the threat events that their risk assessments are supposed to catch. And these poor vendor security practices are costing them dearly. 

According to IBM's 2025 Cost of a Data Breach report, supply chain compromise was the second most prevalent and costliest attack vector at $4.91 million per incident and the number one factor most likely to increase the overall cost of a breach. 

Part of the issue is that most organizations have sprawling supply chains and the teams tasked with managing risks are dangerously understaffed. The Mitratech survey found that organizations assess only 40% of vendors on average, mainly due to lack of resources. Two-thirds (70%) of TPRM programs are understaffed.

Similarly, the Ncontracts 2025 Third-Party Risk Management Survey found that 73% of institutions have two or fewer full-time employees managing vendor risk, even though more than half oversee 300 or more vendors.

The majority of security leaders (60%) report that supply chain risks have already become “innumerable and unmanageable,” according to ISMS.online’s The State of Information Security Report 2025.

But supply chain risk management isn’t hopeless. It’s just ineffective for many organizations, starting with issues in one of the first steps of the process.

5 Reasons supply chain risk assessments fail

Most organizations conduct some form of supplier evaluation. The problem is that these assessments often fail to identify material risks until after an incident occurs.

Here's why supply chain risk assessments often fall short and what happens when they do.

1. Assessing the wrong suppliers

Organizations frequently focus assessment efforts on their largest suppliers by spend or contract value, missing critical dependencies on smaller vendors that handle sensitive data or provide access to core systems.

According to recent research by BlackBerry, almost three-quarters (74%) of attacks originated from members of the software supply chain that companies were unaware of or did not monitor before the breach.

Real-world consequence:

In March 2025, the Interlock Ransomware Group targeted National Defense Corporation (NDC), a subsidiary of National Presto Industries and a key supplier of ammunition and explosives for the military. Attackers claimed to have stolen roughly three million files from NDC and several affiliated entities.

NDC wasn't a headline-grabbing prime contractor. It was a lower-tier supplier that likely wouldn't have been prioritized for rigorous assessment based on contract value alone. The compromised procurement and logistics data could disrupt critical military supply lines, demonstrating how attackers specifically seek out suppliers at lower tiers that may not get as much oversight.

What you should do differently:

Risk assessment and prioritization should be based on data access, system connectivity, and potential impact, not contract size. A $50,000 vendor with database access may pose greater risk than a $5 million vendor providing office supplies.

2. Point-in-time assessments that go stale

Many organizations conduct supplier assessments during onboarding using spreadsheets or other manual processes that capture point-in-time data and then rarely reassess unless there's a contract renewal or security incident.

According to Mitratech’s latest report, 54% of organizations are not confident in their ability to assess risk across the vendor lifecycle and 41% said they’re still using spreadsheets.

Real-world consequence:

In November 2025, the Inc Ransom group exploited a vulnerability in a third-party library used by OnSolve's CodeRED emergency notification platform, deploying file-encrypting ransomware that left cities, counties, and law enforcement across multiple US states unable to send emergency alerts about public safety events. The breach also exposed CodeRED user data, which the attackers claimed to have put up for sale. 

Government agencies relying on CodeRED had likely vetted the vendor only once during onboarding or relied on point-in-time assessments. Now some customers, including Colorado law enforcement agencies, are now attempting to cancel contracts. 

What you should do differently:

Supplier risk is dynamic. Financial stability changes, security practices drift, ownership transfers, and new vulnerabilities emerge. Effective assessments require continuous or periodic reassessment using automation, not one-time evaluation using spreadsheets.

3. Accepting questionnaires without verification

Security questionnaires are common assessment tools, but they're only as reliable as the respondent's honesty and understanding of their own environment.

According to RiskRecon’s latest report on the state of third-party risk management, security questionnaires remain the most popular method of assessing third‑party risk (84%), despite only 4% of organizations having high confidence that that answers match reality.

Real-world consequence: 

In April 2025, the DOJ reached a $4.6 million settlement with MORSECORP, Inc., a small defense contractor accused of falsely certifying compliance with NIST 800-171 cybersecurity requirements. In 2021, MORSE reported a score of 104 in the Supplier Performance Risk System (SPRS), but an independent 2022 review found the true score was –142, with only 22% of controls implemented and over 70 remediation items required. MORSE failed to update its score for nearly a year, only doing so after receiving a DOJ subpoena. 

As the ninth False Claims Act settlement under the Civil Cyber-Fraud Initiative, it illustrates how self-reported security posture can diverge catastrophically from reality when not independently verified.

What you should do differently:

The defense sector is moving toward mandatory third-party verification of cybersecurity compliance under CMMC, which requires Certified Third-Party Assessment Organizations (C3PAOs) to validate controls rather than accepting contractor’s self-attestations.

Organizations outside the defense sector should adopt the same principle. Questionnaires should be supplemented with independent verification wherever possible, including compliance certifications (SOC 2, ISO 27001), penetration test results, third-party attestations, and evidence of security controls.

4. Not assessing fourth parties

Organizations often assess direct suppliers (third parties) but fail to evaluate the suppliers' suppliers (fourth parties), missing critical dependency chains.

McKinsey's 2025 survey of global supply chain leaders found that while 95% of organizations have visibility into tier-one supplier risks, only 42% have visibility into tier two or beyond.

Real-world consequence: 

In September 2025, attackers launched a targeted phishing campaign to compromise npm (Node Package Manager) maintainer accounts and inject malicious code into widely-used JavaScript packages. These packages are downloaded over 2.6 billion times per week globally. Organizations using these packages in their own builds—or relying on vendors who did—had no direct assessment of the open-source maintainers whose code underpinned their supply chain. 

The compromise went undetected across thousands of downstream consumers because fourth-party risk was simply not part of most organizations' assessment scope.

What you should do differently:

Supply chain risk assessment must consider fourth-party risk, including open-source dependency compromise and traditional fourth-party suppliers (your vendors' vendors). Suppliers, especially high-risk ones, should be required to flow down security and assessment requirements to their own subcontractors to help share the burden of supply chain oversight. Flowdown requirements are now explicitly mandated by the DoD from primes to subcontractors.

5. Treating assessment as a checkbox

The most common failure mode is conducting supply chain risk assessments to satisfy audit requirements without actually using the findings to make decisions or drive remediation.

Navex Global’s 2025 State of Risk & Compliance Report found that most organizations lacked confidence in the effectiveness of their third-party security. 16% of surveyed risk and compliance professionals said they don’t think their third-party due diligence program significantly reduces their legal, financial and reputational risks. More than half only “somewhat” agreed it did.

Real-world consequence:

In February 2025, Health Net Federal Services (HNFS) agreed to pay over $11 million to settle allegations that the company falsely certified compliance with cybersecurity requirements for three years while administering the TRICARE West Region contract with the Department of Defense. 

The DOJ alleged that HNFS failed to fully implement 110 NIST 800-171 controls and 51 NIST 800-53 controls, putting servicemember data and protected health information at risk. 

The most concerning failure was the lack of a vulnerability management program. While HNFS ran scans and obtained third-party audits, they failed to act on the results. As one security expert noted, "It sounds like HNFS was simply using audits and scans as a compliance checkbox. These programs essentially say, 'Yes, we run scans. Yes, we get third-party audits.' But for scans and audits to be effective, you must take the results and do something with them." 

As a result of these failures, HNFS stopped delivering healthcare services under the contract on December 31, 2024.

What you should do differently:

Assessments must drive action. If a supplier assessment identifies unacceptable risk, organizations must mitigate the risk (through contract terms, monitoring, or compensating controls), accept the risk with explicit justification, or find an alternative supplier.

Supply chain risk assessment matrix: What to score

Risk assessment requires translating qualitative findings into actionable data that drive decision-making.

Likelihood assessment

Evaluate the probability that a risk event will occur based on:

• Threat environment: Current threat actors targeting this sector or technology
• Vulnerability exposure: Known weaknesses in supplier systems or practices
• Historical incidents: Supplier's security incident history
• Control maturity: Effectiveness of supplier's security controls

Common likelihood ratings: Low (unlikely within 3+ years), Medium (possible within 1-3 years), High (likely within 1 year), Very High (imminent or ongoing)

Impact assessment

Evaluate the potential consequences if a risk event occurs:

• Data exposure: Scope and sensitivity of data at risk
• Operational disruption: Impact on business continuity and critical services
• Financial loss: Direct costs, recovery expenses, regulatory fines
• Regulatory consequences: Violations, enforcement actions, loss of authorization
• Reputational damage: Customer trust impact, media coverage, brand harm

Common impact ratings: Low (minimal impact), Medium (manageable impact), High (significant impact), Critical (severe or catastrophic impact)

Risk scoring matrix

Combine likelihood and impact to generate an overall risk rating:

Determining acceptable risk

Organizations must define risk tolerance thresholds that trigger specific actions:

• Low risk: Accept with standard monitoring
• Medium risk: Accept with compensating controls or enhanced monitoring
• High risk: Mitigate through contract terms, technical controls, or contingency planning
• Critical risk: Avoid the relationship or require significant remediation before proceeding

Breaking down the supply chain risk assessment process step-by-step

A sustainable assessment process balances thoroughness with efficiency, scaling rigor based on actual risk rather than treating all suppliers identically.

Step 1: Define assessment triggers

Establish when assessments are required:

• New supplier onboarding
• Contract renewal
• Significant scope change (new data access, expanded services)
• Ownership change or merger/acquisition
• Security incident involving the supplier
• Annual or periodic reassessment based on risk tier

Step 2: Classify suppliers by risk tier

Before conducting detailed assessments, categorize suppliers based on inherent risk factors:

High-risk indicators:

• Access to sensitive or regulated data (PII, PHI, payment card data, CUI)
• Connection to production systems or critical infrastructure
• Single points of failure with no backup suppliers
• Provision of security, IT, or infrastructure services
• Geographic or political risk factors

Medium-risk indicators:

• Limited data access or system connectivity
• Important but not critical services
• Established compliance certifications

Low-risk indicators:

• No data access or system connectivity
• Commodity services with multiple alternatives
• Minimal operational impact if relationship ends

Step 3: Select appropriate assessment methods

Match assessment rigor to supplier risk tier:

• High-risk suppliers: Comprehensive assessment including questionnaire, document review, technical testing, and ongoing monitoring
• Medium-risk suppliers: Standard questionnaire and certification review
• Low-risk suppliers: Basic due diligence and contract review

Step 4: Conduct the assessment

Now’s the time for execution. Assess suppliers using your selected methods and document all findings, evidence reviewed, and gaps identified.

Critical success factor: Ensure assessors understand your organization's specific risk concerns, data classification standards, and compliance requirements. Generic assessments often miss organization-specific risks.

Step 5: Score and classify risk

Apply your risk scoring methodology to determine overall risk rating and identify specific high-priority concerns requiring immediate attention.

Step 6: Make risk decisions

For each identified risk, determine the appropriate risk treatment:

• Accept: Document justification for accepting risk within tolerance
• Mitigate: Define required controls, contract terms, or monitoring
• Avoid: Decline or terminate the supplier relationship
• Transfer: Obtain insurance or contractual protections

Step 7: Document and communicate

Create assessment reports that clearly communicate:

• Risk rating and key findings
• Required actions and owners
• Approval or rejection decision
• Basis for risk acceptance (if applicable)

Share findings with stakeholders who own the supplier relationship, procurement teams, and risk/compliance functions.

Step 8: Monitor and reassess

Establish ongoing monitoring mechanisms and reassessment schedules based on risk tier and relationship changes.

Supply chain risk assessment template

Supplier risk assessment isn't just a thought exercise. It's a documentation requirement for security frameworks like CMMC, ISO 27001, SOC 2, PCI DSS, and HIPAA to demonstrate that supplier risks have been systematically evaluated, scored, and tracked over time.

We created this template to help you solve three common challenges organizations experience when trying to establish a process:

1. Standardize evaluation criteria so assessments are consistent across suppliers and assessors
2. Documents risk decisions in a format auditors will accept as evidence of due diligence
3. Enables tracking over time so you can identify which risks are being mitigated and which are worsening

Use it to capture essential assessment components such as:

• Supplier identification and risk tier (High/Medium/Low based on data access and impact)
• Threat events and sources specific to that supplier relationship
• Vulnerabilities and predisposing conditions that increase likelihood of impact
• Likelihood and impact ratings using consistent criteria
• Calculated risk level derived from the scoring matrix
• Mitigation actions required with clear ownership and timelines
• Assessment date and next review date to ensure reassessment cadences are maintained

Beyond the template: When spreadsheets aren't enough

However, a template is a starting point, not a complete solution. For organizations managing dozens or hundreds of supplier relationships, a manual, spreadsheet-based assessment process quickly becomes unsustainable.

Signs you've outgrown spreadsheet-based assessment:

• Assessments are consistently late or skipped because tracking due dates manually doesn't scale
• Multiple versions of the assessment template exist across teams, making aggregation impossible
• You can't quickly answer "which suppliers pose the highest risk right now?" without manually reviewing spreadsheets
• Supplier security posture changes (new breach, expired certification, ownership change) go undetected between formal reassessments
• Auditors request evidence of continuous monitoring and your spreadsheet can't demonstrate it

At this scale, automated third-party risk management platforms become necessary to maintain assessment rigor without exponentially increasing headcount.

Supply chain risk assessment best practices: What to do differently in 2026

The incidents and data from 2025 revealed a clear pattern: most organizations aren't failing at supply chain risk assessment because they don't have one. They're failing because their assessment practices haven't kept up with how attacks actually work today. The table below maps the most common assessment gaps observed in 2025 to the specific shifts organizations need to make in 2026.

Supply chain risk assessment tools

Manual assessment processes don't scale beyond a few dozen suppliers. Organizations managing hundreds or thousands of supplier relationships need technology to automate data collection, analysis, and monitoring.

Key capabilities to look for

1. Risk-based supplier classification Automated categorization based on data access, system connectivity, and impact factors.
2. Assessment workflow automation Tools that manage questionnaire distribution, response collection, and reviewer assignment.
3. Evidence repository Centralized storage for compliance certifications, audit reports, contracts, and assessment documentation.
4. Risk scoring and reporting Automated calculation of risk ratings based on assessment responses and supporting evidence.
5. Continuous monitoring Integration with external threat intelligence, financial data, and security rating services to detect changes between formal assessments.
6. Compliance mapping Ability to map supplier controls to specific framework requirements (NIST 800-53, SOC 2, ISO 27001, CMMC).

Evaluating supply chain risk assessment tools

To select a tool that’s right for your organization, use the following questions:

• Does it integrate with your existing systems (procurement, GRC, security tools)?
• Does it support your specific compliance frameworks?
• Can it scale to manage your current and future supplier count?
• Is it easy to use for both internal teams and suppliers?
• What’s the quality of reporting and stakeholder communications?
• Is expert guidance and support available?

How Secureframe streamlines supply chain risk assessment

Secureframe's third-party risk management (TPRM) platform simplifies and automates supply chain risk assessment, enabling organizations to scale their assessment programs without proportionally increasing headcount.

Automated risk assessment

Secureframe integrates with hundreds of suppliers and vendors to automatically retrieve security information, compliance certifications, and attestations. This eliminates manual data collection and provides continuous visibility into supplier security posture.

Risk-based supplier classification

The platform automatically categorizes suppliers based on data access, system connectivity, and inherent risk factors, helping organizations prioritize assessment efforts on highest-risk relationships.

Evidence management

Secureframe centralizes all supplier documentation—including SOC reports, security policies, compliance certifications, and assessment questionnaires—providing a single source of truth for audit and review.

Continuous monitoring and alerts

Rather than relying solely on point-in-time assessments, Secureframe provides ongoing monitoring of supplier security posture and sends alerts when changes occur that require reassessment or action.

Advanced TPRM capabilities

For organizations with complex supplier ecosystems, Secureframe offers Advanced TPRM with:

• Comply AI for TPRM: Automatically extract answers from supplier documents, saving hours of manual review
• Auto-Detect Shadow Vendors: Identify unauthorized applications through SSO integration monitoring
• Customizable risk frameworks: Tailor scoring, categorization, and assessment processes to your organization's specific risk model

Framework-specific assessment support

Secureframe provides out-of-the-box support for framework-specific supplier requirements including NIST 800-53, CMMC, SOC 2, ISO 27001, and Microsoft SSPA.

To learn how Secureframe can help your organization conduct more effective supply chain risk assessments, request a demo today.