U.S. House Passes Supply Chain Risk Management Act of 2021: What You Need to Know

Blog post Zachary Jarvinen 2021-12-06

Supply Chain

The US House of Representatives passed the Software Supply Chain Risk Management Act of 2021 with a massive bipartisan vote (412-2) on Oct. 20, 2021. The legislation’s goal is to strengthen the software supply chain and network security, focusing on the Department of Homeland Security (DHS).

The legislation requires the DHS to develop a framework for contractors to provide insights into the origin of their software components through a software bill of materials (SBOM). It aims to remodel, modernize, and streamline the process for procurement and use of ICT products, services, and solutions by the DHS. The new law directs DHS’s new and existing software suppliers to clearly mention the origins of every constituent of any software supplied to the DHS.

In addition to submitting SBOM, the new legislation requires software suppliers to:

  1. Certify that the software and each of its components are free of security loopholes or defects
  2. Notify the DHS of any identified security loophole or defect in the software
  3. Provide a plan to alleviate or fix any identified security defects


So, why did legislators feel the need for the Software Supply Chain Risk Management Act? Well, cyber attacks against the United States have increased manifolds over the last decade. This trend opened up the US government to many risks, compromising national security.

When we look at the details, we see that in most cases, malicious actors did not directly target US government agencies or departments. Instead, they identified vulnerabilities in the software supply chain ecosystem of the government agencies to execute their malicious designs.

Case in point: Solar-Winds Supply Chain Attack

Hackers often breach the cyber defenses of the contractors of government agencies or exploit loopholes in the products supplied by those contractors. In the next step, the bad actors often install spyware to the software and indirectly access critical information, including national security information.

To recognize and close the loopholes in the DHS software supply chain, the Software Supply Chain Risk Management Act 2021 requires the department to collect information from its software contractors. Cybersecurity experts expect this information to strengthen the cyber defense of the DHS as well as provide insights into risks in the supply chain ecosystem of the entire US government.

Benefits of the Legislation

In light of the increasing frequency and sophistication of supply chain attacks, this legislation will enhance the capacity of the DHS to secure its software and network, besides providing better visibility into the ITC products or services that it uses. It is a positive development to promote information sharing between the DHS and its software suppliers and to manage possible risks.

It is worth noting here that each component of a software is developed by multiple, often small, vendors from across the world. And by knowing the origin of the components, the DHS can identify at least a few touchpoints that can potentially expose the department to threats. And in doing so, the DHS can take steps to have the security loopholes fixed or determine whether malicious actors have already breached the vulnerabilities.

The best part is that the legislation benefits the entire software supply chain ecosystem. Now, software suppliers wouldn’t hesitate to report vulnerabilities or share transparent information with stakeholders because they have got a legal cover to fix defects or security loopholes.

How to Prepare Your Third-Party Risk Management (TPRM) Strategy

The Software Supply Chain Risk Management Act of 2021 is directed mainly towards the DHS, so it may seemingly have no effect on corporate software suppliers. That holds true for now, but it could lead to changes in other cybersecurity laws down the line. For instance, this step could pave the way for changes in compliance laws, policies, and regulations for the corporate sector any time soon.

As such, it makes sense for companies to prepare their vendor risk management strategy in advance. Suppose you’re a software supplier to the DHS or another government agency. In that case, you must take immediate action to comply with this new law. This is even more important if you procure your software components from other vendors because you never know which of your vendors might leave vulnerabilities in your software.

So, how do you prepare for these challenges? This is where an advanced third-party risk management strategy has your back.

An advanced vendor risk management strategy typically includes the following crucial elements:

  • A catalog of all of your supply chain members
  • A record of all the threats your supply chain could expose your company to
  • Categorization of your vendors, assessment of the potential dangers, and risk profiles
  • A plan of action for remediation of those risks
  • A supply chain risk management framework for existing and potential vendors
  • A system that provides you with a real-time security rating of your suppliers
  • A clear policy on how to onboard third parties
  • An effective and technology-driven mechanism for vendor due diligence

Given that cybercriminals are using sophisticated methods and techniques to launch their attacks, legacy vendor risk management systems and processes can no longer protect your supply chain against the evolving threats.

It’s time you should switch to a modern vendor risk management platform that allows you to quickly collect and organize your vendor data. Plus, modern systems allow you to automate many repetitive functions like risk assessments and provide you with full control over the risk management process.

Get a Next-Generation Vendor Risk Management Software

CENTRL’s Vendor360 is a versatile and advanced risk management software that allows you to manage your supply chain members from a centralized directory and single, user-friendly dashboard.

Our platform makes your supplier onboarding and selection process less intimidating; it allows you to automate vendor risk assessments, audit, and monitoring. Plus, it provides your suppliers with an infallible system for quick response, in addition to streamlining the process of third-party response evaluations. Not to mention the powerful features to remediate threats and gain rich insights into third-party risks.

Learn more about Vendor360’s powerful features.

Take our software on a test drive with a LIVE DEMO or contact us for more information.

Similar resources

More resources