Category Archives: ISO 27017 Compliance Insights

For Holistic Supply Chain Security, Think Beyond CMMC 2.0 | supply chain | security | ESG

When it comes to supply chain security, fixating on Cybersecurity Maturity Model Certification (CMMC) compliance is kind of like going on a fad diet. Just as achieving overall nutritional health requires more than subsisting on, say, cabbage soup or grapefruit juice for a week, CMMC compliance is only one step toward good cybersecurity hygiene. Achieving CMMC compliance may help you mitigate software supply chain security risks in the short term, but you’ll need to do more than pass a CMMC audit to ensure ongoing, reliable supply chain security.

CMMC compliance is important, to be sure, which is why we’ve prepared a comprehensive guide to CMMC compliance controls and requirements. But as this blog explains, your cybersecurity strategy should extend beyond CMMC compliance alone, even in the age of CMMC 2.0.

CMMC 2.0 compliance: The basics

There has been a lot of buzz about CMMC compliance over the past year. The hype reflects, first, the recent release of the updated CMMC 2.0 compliance guidelines, with which businesses need to comply if they want to sell to the U.S. Department of Defense. CMMC 2.0 has been called a “leaner and more flexible version” version of CMMC, making it easier to achieve compliance – provided vendors take the time to master the many new changes that CMMC 2.0 brings.

At the same time, software supply chain attacks like the SolarWinds hack, which impacted a number of government agencies, has helped shine a spotlight on CMMC as a way for organizations to mitigate risks that lie within their supply chains.

The fact that it could take up to two years for CMMC 2.0 requirements to come into effect means that businesses have some time before they actually need to implement changes. Still, given how complex CMMC is, now’s a great time to start preparing for compliance, if you operate in an industry that CMMC affects.

Here are the CMMC Compliance Requirements: Everything You Need To Know

What’s in the CMMC protocol?

For that purpose, our CMMC 2.0 compliance checklist, which spells out the steps to take to prepare for CMMC 2.0 compliance, is a great place to start.

As the CMMC checklist explains, adapting to CMMC 2.0 rules requires:

  • Determine whether CMMC applies: The first step in meeting CMMC 2.0 requirements is figuring out whether you even need to meet them. As our checklist explains, CMMC’s scope is evolving; in some cases, businesses are requiring their partners to be CMMC-compliant as a way of enforcing good cybersecurity hygiene, regardless of whether there is a government mandate for CMMC compliance. Thus, if you didn’t need to meet CMMC mandates before, you may now, even if you don’t do business with the DoD.
  • Determining your CMMC compliance level: There are now three CMMC compliance levels – Foundational, Advanced and Expert. The level you need to meet depends on what type of business you do and how many risks exist within your own supply chain.
  • Identify CMMC 2.0 compliance gaps: Once you know which compliance level you need to meet, you can determine what you’re currently not doing, but need to start doing, to meet its compliance requirements. You can use a tool like Findings to perform a compliance assessment in order to identify gaps.
  • Remediate CMMC compliance gaps: After identifying your gaps, remediate them by addressing the security risks within your supply chain. Here again, Findings can help automate the process by providing remediation guidance.
  • Conduct a CMMC audit: For CMMC level three compliance, you’ll need to conduct an audit and certification using DoD-qualified auditor. For other compliance levels, you can use Findings to perform continuous self-assessments to ensure that you remain CMMC-compliant for the purposes of securing your supply chain, even if you aren’t required to demonstrate compliance to an external auditor.

A holistic supply chain security strategy

As noted above, CMMC compliance is one pillar of a modern cybersecurity strategy. But it’s only that: One pillar.

Indeed, even a former CIA officer says that even the updated version of CMMC is likely not enough to address all cybersecurity risks.

Let us elaborate on that point: Because the CMMC rules were designed with supply chain security specifically in mind, achieving CMMC compliance is a great way to mitigate security risks within your supply chain. This is why, again, more and more businesses are requiring CMMC compliance even if they don’t do business with the U.S. military, and therefore don’t have an official mandate to be CMMC-compliant.

But as you’ll see if you check out our CMMC compliance checklist in detail, the CMMC rules don’t cover every facet of supply chain security management. To do that, you need a holistic set of people, process and controls to secure your supply chain. More specifically, you’ll require:

  • Processes: Security processes are what the CMMC does cover. It spells out processes for implementing protections like access controls and physical security.
  • People: Processes in frameworks like the CMMC are complex. To follow them, you need people with the requisite expertise. Keep in mind, however, that you can reduce the level of expertise necessary by leveraging tools – such as Findings – that help to automate complex compliance processes.
  • Technology: You need technology in the form of tools that allow your people to implement processes like those detailed in the CMMC. The CMMC doesn’t tell you which tools to use; it just tells you what the tools should be able to achieve.

They don’t, for example, extend to creating a Vulnerability Disclosure Program.

Nor do they enforce the rapid security incident response that is necessary in today’s fast-moving world, where identifying supply chain risks is only half the battle. The other half is remediating the vulnerabilities quickly enough that your supply chain doesn’t kink up and place your business at risk.

To meet challenges like these, you need an automated, efficient means of identifying and managing supply chain risks across the entire risk lifecycle. CMMC compliance addresses only part of this challenge.


Findings can help businesses of all types build a supply chain security strategy that includes, but is not limited to, meeting CMMC 2.0 requirements. Use Findings to identify your compliance gaps and remediate them to meet CMMC 2.0 rules. At the same time, lean on Findings to ensure you can react rapidly and systematically when supply chain risks emerge.

Schedule a demo to learn more.

A Complete Checklist To Supply Chain Security

A complete checklist for supply chain security | Findings - Supply Chain Security Automation

Cybersecurity compliance frameworks and standards are a great starting point for managing supply chain security risks. But if your security strategy hinges solely on frameworks, you’re doing it wrong.

As The Cybersecurity Place puts it, “compliance alone won’t save you” from modern security risks.

Indeed, while embracing a cybersecurity framework is an important — and, for many organizations, necessary — first step toward securing the supply chain, businesses shoot themselves in the foot if they stop with framework adoption alone. No matter which framework you use internally, or which frameworks you require your vendors to comply with, the framework on its own is of limited value. You must also implement processes that actually operationalize the framework, allowing you to enforce compliance among your vendors.

Let’s take a look at what goes into a complete supply chain security strategy. As we’ll see, it starts with cybersecurity frameworks like NIST and ENISA, but it extends far beyond those frameworks alone.

The core components of a cybersecurity framework: The NIST example

Cybersecurity frameworks are an excellent foundation that helps businesses define overarching supply chain security principles.

For example, the NIST framework, which is popular among U.S. companies (European companies tend to use ENISA, which is similar to NIST), defines rules designed to help businesses achieve four key goals:

  • Identify: NIST requires processes that allow organizations to identify and understand their cybersecurity risks.
  • Protect: After risks have been identified, NIST requires businesses to take steps to mitigate them in order to improve their cybersecurity posture.
  • Detect: As not all risks can be identified and mitigated, NIST also requires ongoing efforts to detect active threats.
  • Respond: When active threats have been detected, NIST requires responses that can contain and eliminate them.

By adopting a framework like NIST or ENISA, then, businesses gain a high-level architecture that helps them plan a cybersecurity strategy.

Processing tools for supply chain security

The main limitation of frameworks alone is that they provide little if any specific guidance on how to turn high-level cybersecurity principles into practice. As a result, businesses also need to implement security processing tools that allow them to operationalize cybersecurity practices in ways that align with framework requirements.

Processing tools do this in the context of supply chain security by providing:

  • Vulnerability assessment: Processing tools identify risks within the products and services that third-party vendors supply to a business.
  • Coverage assessment: Processing tools help identify situations where vendors lack effective cybersecurity coverage.
  • Visibility assessment: Processing tools enable businesses to profile their vendors and suppliers in order to understand which risks exist within their systems — and which risks could, by extension, flow down the supply chain.
  • Business alignment: With processing tools, businesses can determine which risks in the supply chain pose the greatest threats to their operations. This context is essential because not all vendors and risks are of equal importance within a supply chain.

By providing this functionality in an automated way, processing tools go far in closing the gap between principle and practice. Indeed, as the SANS Institute says, automation is the only way to enforce security compliance mandates in complicated contexts like supply chains.

Managing contractual requirements

What do you do when processing tools reveal that vendors are not fully adhering to your cybersecurity requirements?

That’s where contracts and evidence come into play. Companies must maintain documents and signatures related to the security frameworks they adopt within their supply chains, then use them to enforce compliance when violations occur. Contracts also play an important role in determining which disclosures are required in the event of a supply chain breach.

Remember to update your contracts if, for example, you adopt a newer version of a cybersecurity framework or change your supply chain in a way that imposes new compliance requirements or verifications.

Most large organizations manage contractual requirements through a dedicated security team or CISO. At smaller organizations, a procurement team or IT team typically handles this responsibility. Your specific approach to vendor contract management is not as important as ensuring there is a systematic process in place for defining and enforcing contractual security agreements across your supply chain.

Supply chain security management: Responding to a crisis

The final key step in managing supply chain risks is having a plan in place to respond to incidents when they occur. You don’t want to wait for a breach to decide what to disclose, or how to contain the threat and so on.

Your response plan should define the following points:

  • Who will perform which tasks in response to an incident. Remember that many incidents require responses not just from technical stakeholders, but from other departments such as the legal, PR and others.
  • Which vendors you will use as a backup in the event that one key vendor is breached.
  • How the response will be documented.
  • How you will determine whether public disclosure of a breach is required, and how you will manage that disclosure.

In addition to developing a response plan, run drills so that your team can practice responding to a supply chain breach, before a real-life incident occurs. You should also strive to keep your team focused on the big picture. As you can’t predict the exact nature of a breach, it’s best to learn how to think holistically and creatively about managing incidents, rather than investing in rote reaction plans that may be too specific to apply to a given incident.

Last but not least, ensure that you have a response plan that will allow you to react quickly and effectively when a major security incident occurs within your supply chain. Your goal should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.

How Your Competitors Are Preventing Supply Chain Attacks

How Your Competitors Are Preventing Supply Chain Attacks |

Supply chain security threats are like the flu: Sooner or later, they’re bound to impact you, no matter how hard you try to avoid them.

Indeed, by their very nature, supply chain attacks are more likely to affect large numbers of organizations than most other types of breaches. The majority of cyber threats target individual companies. But a single supply chain attack could impact hundreds or thousands of businesses at once if it compromises software or data within their supply chains.

For proof of just how pervasive supply chain security risks are, you need only look at recent examples. The SolarWinds breach impacted dozens of organizations, including major U.S. federal agencies. The Kaseya breach extended to thousands of businesses spread throughout the world that use Kaseya’s software. Expect more figures like these as the prevalence of supply chain attacks — a threat that one major security research report called “staggeringly high” —continues to grow at rates approaching 400 percent.

That’s the bad news. The good news is that, as explained below, there are effective steps you can take to protect your business from supply chain risks. They won’t completely guarantee immunity from attack, but they’ll go a long way toward mitigating the threat.

Why supply chains are so risky?

The first step in managing supply chain threats is understanding what makes supply chains inherently risky.

The reasons are simple enough: Supply chains typically involve many suppliers, and it’s difficult to maintain visibility into the security state of each of them.

By comparison, it’s relatively easy to secure your own IT assets — meaning those you deploy and manage yourself. But it’s much harder to ensure that your vendors’ and suppliers’ IT environments are secure — especially when you have dozens or hundreds of vendors in your supply chain.

Managing supply chain security: The typical response

The typical playbook for managing supply chain risks includes some basic steps:

  • Compliance: Requiring suppliers to adhere to cybersecurity standards like the U.S. government’s NIST framework or the E.U.’s ENISA/ISO can help to reduce the prevalence of threats. But actually enforcing compliance across third-party vendors’ businesses can be difficult.
  • Vetting: Businesses often enforce vetting processes for new vendors. That’s good, but it doesn’t guarantee that you’ll avoid risks once a vendor relationship has already been established.
  • Cybersecurity teams: Investing in cybersecurity expertise can help harden IT assets against attack. But your own cybersecurity experts can’t do much to protect the assets of your vendors.

These are all useful strategies for managing supply chain risks. But they’re not enough on their own to make your security posture as strong as possible.

Going further to secure the supply chain

Beyond those basic supply chain security steps, businesses should implement additional measures to make their supply chains as safe as possible.

Access control

Businesses should implement tight access controls to govern who can access their systems. Access should be defined in a granular way and restricted by the principle of least privilege.

In many countries, regulations ensure that supply chain cyber security is legally required. Companies must comply with a security framework and checklist. Once this checklist is completed the vendor can prove increased controls are in place.  While strong access controls won’t prevent risks in your supply chain, they will mitigate the chances that a vendor’s cybersecurity problem becomes your cybersecurity problem.

Technology investment

Given the complexity and scale of modern supply chains, managing their security manually is not feasible in most cases. That’s why it’s wise to invest in tools that are purpose-built to assess and manage supply chain risks automatically, across all vendors’ IT estates.

Maximum visibility and coverage

Along similar lines, businesses should leverage automation technology to maximize their ability to identify and track security risks within their supply chains. This is also a process that you can’t handle manually unless you have a very simple supply chain.

Vendor Education

In addition to asking your vendors to be secure, consider providing educational resources that explain exactly how they should secure their assets. These resources could be based on cybersecurity standards that you want to enforce across your supply chain. Your vendor’s transparency should a breach occur could provide valuable feedback to others in that supply chain.

Assess vendor risk

Not all vendors pose the same level of risk. Risks vary depending on which types of data and applications the vendors supply or integrate with, and how important the vendors are to your business.

This means you should contextualize vendor risk and enforce security safeguards accordingly. High-risk vendors may require stronger oversight than those whose assets play a less central role in your operations.

Cybersecurity drills

Planning how to respond to a supply chain breach, then practicing the response via cybersecurity drills, goes a long way toward helping ensure a fast and effective resolution when attacks occur. In particular, your response plan and drills should address:

  • Business risks: It should be easy to identify which parts of the business are impacted by a breach and what level of risk their disruption poses to the overall business.
  • Manual vs. automated processes: Which response processes can be automated, and which will need to be performed manually? You’ll want to answer these questions before the breach occurs.
  • Mediation: Which teams or stakeholders will take the lead in managing a supply chain breach? If your organization does not have a CISO in place, then another person from either procurement or the I.T.  department could be appointed. Immediate decision-making in a crisis is critical.
  • Disclosure: How will you announce a breach to your customers and partners? How much information should you include about the breach? Different types of breaches and vendors may require different disclosures.

Response drills prepare you to remove risky components from your supply chain rapidly with minimal disruption to business operations.

Supply chain assessment

The most secure business is one that continuously assesses its supply chain to identify its weakest links from a security perspective. Again, not all vendors pose the same level of risk, and not all vendors can be assessed in the same way. You must implement an assessment process tailored to your particular supply chain.

As CIO Review explains, “While threats cannot be completely eliminated, supply chain security can contribute to a more secure, efficient flow of goods that can recover quickly from disruptions.”

In other words, the fact that supply chain security is impossible to guarantee completely is not an excuse for ignoring it. It’s absolutely critical to take not only basic steps for defending your supply chain, but also implementing advanced measures — such as practicing responses and automating supply chain visibility as much as possible — that can bring your risks as close as possible to zero.

Start Now For Free


Your business continuity and the Coronavirus crisis

man inspection his supply chain BCP

Your supply chain is your weak spot during the Coronavirus crisis – how to prepare yourself

Different scenarios and how to protect yourself using a free tool we created for the community

 As the concern regarding the global outbreak of coronavirus (Covid-19) increases rapidly, companies are facing the need to quickly adjust their processes to various situations which can affect their business continuity.

The global nature, spread and infection pace of the coronavirus and their implications indicate that no company should rest assured assuming it could go by unscathed and every CISO, CIO and CEO should prepare and evaluate a business continuity plan (BCP) immediately.

Living in an interconnected world makes every business vulnerable to 3rd party business continuity risks that can disrupt its processes’ continuity, data and reputation.

One of the main issues to address is the company’s supply chain and other 3rd party readiness measures. Maintaining supply chain BCP in this challenging time is crucial to the ability to ensure minimization of potential impacts.

In the case of Coronavirus, the disruption is mainly created as a result of availability issues rising from the many employees that will be forced to work from home or be hospitalized.

From the supply chain perspective, the main risk scenarios are:

  1. The need for many employees to immediately shift to remote work.
  2. Staff availability issues resulting from employees being hospitalized in cases of illness and being unavailable for long periods of time.
  3. Lack of preparedness of vendors to enable remote and secured operation.
  4. Low compatibility of vendor’s infrastructure (endpoint, connectivity, etc.) with the proper requirements to maintain operation.
  5. Information security issues due to major and uncontrolled changes in the infrastructure serving the business.

Therefore, we decided to provide everyone with a FREE tool that will help you assess and manage your supply chain coronavirus readiness and resiliency.

You can subscribe for your free account here and immediately launch a vendor assessment process.

Your account is now equipped with a ‘Coronavirus resilience assessment’ type. By selecting it under either the ‘add new vendor’ or ‘manage assessment’ tab – your vendors will be able to quickly provide you with an overview of your supply chain weak spots.

The tool will also provide you with automated findings, recommendations and time stamps that will help you manage vendor gaps effectively.

Want to perform a self readiness assessment? No problem – just choose the ‘Coronavirus resilience assessment’ at the ‘manage assessments’ and choose ‘ self assessment’ 

If you already have your Findings account – contact our customer success team to activate the tool.

Just click on the link or the button below and start your on-boarding. 

Stay healthy! 

GE Discloses Data Breach

GE data breach in supply chain

Tech Giant GE Discloses Data Breach After Service Provider Hack

The recent data breach of a GE supply chain service provider resulted in the theft of PII for many of the company’s employees. 

GE currently has customers in more than 180 countries and in employment of 280,000 employees according to the company’s 2018 annual report.

“The breach occurred at Canon Business Process Services (Canon), a GE service provider, where an email account of a single employee was breached, resulting in an unauthorized party gaining access to an email account that contained documents of certain GE employees, former employees, and beneficiaries entitled to benefits that were maintained on Canon’s systems”.

Also, GE stated that the sensitive personal information exposed during the incident was uploaded by or for current and former GE employees, as well as “beneficiaries entitled to benefits in connection with Canon’s workflow routing service.”

GE reported the incident to the Office of the California Attorney General and have notified the affected individuals according to data breach laws and the CCPA.

They said that GE’s IT systems were not affected by the Canon security breach and that it’s taking all the necessary measures to prevent a similar incident from happening in the future.

Supply chain cybersecurity risk 

This attack highlights the issues of Supply Chain and Third-Party Provider attacks

As companies seek to reduce costs and improve operational margins, they rely on suppliers of business services or providers of products to take advantage of the lower costs these partners incur to specialization and economies of scale.

These strategies are sound business practices in the growing trend toward collaborative eco-systems. In fact, it’s impossible for an organization the size of GE to operate without an efficient global supply chain spanning across tens of thousands of subcontractors and vendors.  

The cybersecurity risks, companies face are the lack of control they have when it comes to protecting the data which they now share or have hosted by these suppliers – due to it not always being protected with the same level of security that the company itself, as a data owner, may impose on its own resources. 

The inability to determine the financial impact of these types of breach attacks makes it very hard for cost-conscious outsource/third-party services or goods suppliers to assess the right sizing of risk and breach mitigation measures.

The attackers that are leveraging these third-party or supply chain attacks are often identified as Political Cyber Warriors, Financial Hackers, Disgruntled Employees, and Industrial Espionage Agents. 

These actors have already done the math in terms of assessing the value of such purloined information in terms of financial value, and have sufficient resources behind them to invest in the attack methods that will enable these penetrations and exfiltration – and make a positive return on investment. 

As the number of attacks and the size/prestige of victims of these breaches increases, companies must be much more diligent in coping with these risks.

What can you do?

When selecting third-party service providers or supplier partnerships, companies must perform reasonable due diligence to assure themselves and their stakeholders that the selection process does not just focus on cost. 

The first step is for companies to assess the financial impact such a breach will have on their business in terms of reputation and survivability. 

This can be accomplished by firstly quantifying the risk in monetary terms – A Cyber Risk Quantification exercise can put a financial impact number to each type of asset’s compromise. 

Companies should perform this themselves or with the assistance of independent professionals.  This should not be done by the out-source provider.

Secondly, each potential provider should demonstrate that they are adequate to data security and relevant privacy measures by performing a defensive maturity assessment – ensuring that all security measures are in place, current and fully configured. 

There are several industry-specific standards such as ISO, NIST, and others that can provide standard yet independent expertise to conduct the assessments. 

These assessments should be performed as necessary-  Prospective clients/organizations should ask for and receive these security assessments during their selection or on-boarding process as well as on a periodic basis according to the risk exposure of the vendor.

Obviously, such operation of performing manual assessments on such a large scale isn’t practical, meaning an automated solution must be implemented to facilitate this process.


Cyber mitigation has become a fact of life and therefore, companies must make sure that they deal with it effectively.  Out-sourcing services or products for resale in an eco-system can be extremely beneficial and enables organizations to move investment off-balance sheet and gain the benefits of markets in sourcing such services, yet they must act aggressively to ensure that their partners are delivering on protecting the company from risks.

A 3rd party assessment cannot and will not prevent a cyber incident, but will help organizations create a robust supply chain and to respond quickly and decidedly when an attack occurs –  just like GE did.

What makes VRM (Vendor Risk Management) so important?

Importance of VRM (Vendor Risk Management) in Mitigating Data Breach Risks for Global Enterprises

What is VRM, and how to start applying it to your supply chain risk?

A vendor notified a global enterprise that it suffered a data breach. The vendor was recorded in the Enterprise’s VRM system, allowing for quick assessment of exposure. Resulting in fast action by security and risk personnel. This manifestation of proper VRM process is expected of modern enterprises and organizations, but is unfortunately rare.

Gartner defines VRM (Vendor Risk Management) as “the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance”.

In a cyber security context, this means that organizations needs to ensure that elements in their supply chain. Such as, vendors, partners, integrated systems and others, does not expose them to unnecessary cyber risks. VRM (part of Risk Management) has been in the shadow of the more mainstream IT security, until very recently.

Organizations have invested heavily in securing their own perimeter, training personnel. And, refining their security procedures, all in the hope of thwarting an attack from an outside hacker. But since cybercriminals are like water- meaning, they always seek the path of less resistance. they found that they could gain entrance into heavily defended organizations by working their way up the supply chain. There, they could identify weaker entities with lesser security mechanisms, and utilize these to gain entry to their final objective. As of 2018, Supply chain attacks have increased 78 percent between 2017 and 2018, and a recent report states that Half of All Attacks in 2019 target the Supply Chain.

Automating Vendor Risk Management

But awareness is not enough. Organizations need to understand if they should address this risk and how to mitigate it. Some organizations are mandated by law or regulation to engage in Vendor Risk Management. These include Critical National infrastructure, defense and homeland security industries as well as financial, healthcare entities.

Others must address VRM as part of their obligation to adhere to GDPR and other privacy policies and regulations, such as the evolving CCPA. We will cover these aspects in follow- up blog posts. But when an organization decided it needs to address the VRM issue, it is usually shocked by the sheer volume of work ahead. This is a combination of the number of vendors that require validation (could easily reach hundreds for a medium sized organization) and the manual labor required to validate each and every vendor.

Faced with these challenges, organizations choose to prioritize, and focus their attention on the largest vendors or the ones perceived to pose the greatest risk. It is not uncommon for organizations to focus their VRM process on just 5% of their supply chain. Leaving the bulk of their supply chain unaccounted for. Organization that choose to “Roll the dice” and play the Cost VS. Risk game, could find themselves in the crosshairs. Should they happen to miss out on that one vendor that eventually caused the breach.

Vendors must be verified and then Automated

Findings approaches this challenge with the view that ALL vendors must verified. We’ve built our technology platform to enable organization to automatically assess their exposure. Moreover, we’ve made it exceptionally easy for vendors to assess themselves.

By removing friction we’ve enabled organizations to effectively assess their entire supply chain, without having to “Gamble” on who to check. In the case described at the beginning of this article, a global enterprise have used our system to vet all of its supply chain. That, of course, wouldn’t have been possible to achieve in the “old” (manual) methods.

Quick response and communication of necessary actions were enabled by having the vendor documented in the VRM system. Both, internally to the board of directors and management, and externally to customers, partners, and authorities. With validation and recording in the VRM system, the vendor’s status was determined to require no additional action. Without such documentation in the VRM system, the understanding of exposure post-mortem would have taken days instead of the 15 minutes it took with it. Findings solution enabled the following benefits:

  • Complete coverage
  • Accuracy
  • Reduced time for the initial validation process
  • Reduced time of response once an event has occurred.

VRM technology supports enterprises that must assess, monitor and manage their risk exposure from third-party suppliers (TPSs) that provide IT products and services, or that have access to enterprise information. However, without an automated, scalable mechanism to support the data input, they are under-utilized and provide only partial coverage. Findings enables organization to fully utilize these solutions and gain a clear understating of their entire supply chain exposure.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:


$10 / Month
$10 / Month
$25 / Month
Integrated Apps
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!