third party
Safeguard articles tagged "third party" — guides, analysis, and best practices for software supply chain and application security.
11 articles
DORA Financial Services Supply Chain Obligations in 2026
The Digital Operational Resilience Act has been in application since January 2025. The ICT third-party risk management obligations are the operational center of gravity in 2026.
Vendor Questionnaire Fatigue And How To End It
Security questionnaires have ballooned into 400-row spreadsheets that nobody reads carefully. Here is how to replace the ritual with evidence ingestion that actually changes vendor risk decisions.
Continuous Vendor Monitoring vs Annual Review
Annual vendor reviews discover problems eleven months too late. Continuous monitoring closes the gap, but only if your TPRM tooling can ingest and normalize signals at vendor scale.
Vendor Incident Coordination In The 72-Hour Window
Most vendor incidents go badly because the first 72 hours are spent figuring out who to call. A pre-built coordination playbook turns chaos into a rehearsed response.
TPRM Vendor Tiering By Blast Radius Not Spend
Most TPRM programs tier vendors by spend. That misses the vendors who are cheap but catastrophic when they fail. Tiering by blast radius is the fix.
Flowing Down CMMC And CRA Clauses To Vendors
CMMC 2.0 and the EU Cyber Resilience Act both require obligations to flow down through your supply chain. Here is how to write the clauses and verify the compliance.
Evaluating Vendor Attestations: SOC 2 / FedRAMP
A SOC 2 report does not mean the vendor is secure. Here is how to read attestations carefully, what FedRAMP actually proves, and how to ingest both at scale.
Fourth-Party Risk: The Supply Chain Of Vendors
Your vendors have vendors. Most TPRM programs stop at the third party and miss the fourth-party blast radius. Mapping the full chain is now a board-level expectation.
Vendor SBOM Ingest Program Blueprint
Asking vendors for SBOMs is easy. Building a program that actually does something with them is harder. Here is a working blueprint that scales past a hundred vendors.
Vendor Risk During M&A Due Diligence
M&A due diligence usually ignores vendor risk until the day after close. By then, the buyer has inherited a vendor portfolio with no visibility and no leverage.
TPRM Budget Justification For The Board
TPRM budgets get cut because the program cannot quantify what it prevents. Here is the framing that lands with boards: avoided losses, regulatory exposure, and continuity.