The Change Healthcare breach of February 2024 compromised the personal data of an estimated 100 million Americans and disrupted payment processing across the entire U.S. healthcare system for weeks . The attack did not target Change Healthcare's own systems — it exploited a vulnerability in the Citrix remote-access software used by a subsidiary, compromising a third-party pathway into the network. Hospitals lost billions in cash flow. Pharmacy chains could not process prescriptions. The single point of failure was not technology. It was a procurement decision.

This is the new reality. Third-party cyber risk is not an IT problem that occasionally touches procurement. It is a procurement problem that requires deep technical literacy. The SolarWinds attack of 2020 — which compromised 18,000 organizations including nine federal agencies — originated in the build pipeline of a software vendor that thousands of procurement teams had sourced and contracted . The MoveIT file-transfer breach of 2023 cascaded through 2,500+ organizations from a single zero-day vulnerability in a single third-party tool .

When the board asks who approved these suppliers, whose contracts lacked cyber clauses, and who is monitoring the sub-tier vendors today, the answer lands on the CPO's desk. Here is what procurement leaders must build to answer that question credibly.

The Regulatory Landscape Is No Longer Optional

Four regulatory frameworks have transformed third-party cyber risk from a best-practice recommendation into a legal compliance obligation that procurement must operationalize. Each one puts specific demands on how vendors are selected, contracted, monitored, and removed.

SEC Cybersecurity Disclosure Rules

The U.S. Securities and Exchange Commission's cybersecurity risk management rules, effective December 2023, require public companies to disclose material cyber incidents within four business days and to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats — including those arising from third-party service providers . This is the rule that turned vendor cyber risk into a board-level fiduciary duty. If a supplier breach causes material financial or operational damage, the company must disclose it — and the board will want to know how the contract was structured, whether cyber due diligence was performed, and whether monitoring was in place.

The SEC explicitly calls out "cybersecurity risks from third-party service providers" as a required disclosure item. For procurement, this means every strategic vendor relationship now carries SEC disclosure risk. Procurement must certify — with evidence — that cyber due diligence was performed before contract signing and that continuous monitoring is in place throughout the relationship.

NIST SP 800-171 and SP 800-53

For organizations that handle federal data or contract with the U.S. government, NIST Special Publication 800-171 — Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations — and the broader NIST SP 800-53 control catalog are the operating standards. NIST SP 800-171 requires 110 security controls across 14 families, including access control, incident response, and system and communications protection . SP 800-53, Revision 5, provides the broader control baseline that federal agencies and their contractors must meet .

The procurement implication is concrete: any supplier that touches, stores, or transmits CUI must demonstrate compliance with NIST SP 800-171. Procurement teams must verify supplier SSR (System Security Plan) artifacts, evidence plan-of-action-and-milestones (POA&Ms), and contractual obligations to maintain compliance throughout the contract lifecycle.

CMMC 2.0 — Defense Supply Chain Certification

The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) 2.0, finalized as a federal rule in October 2025, mandates that all defense contractors and their subcontractors achieve third-party certification at specified maturity levels based on the sensitivity of information handled . Level 2 certification (the baseline for suppliers handling CUI) requires independent assessment by a CMMC Third-Party Assessment Organization (C3PAO) against NIST SP 800-171 controls. Level 3 applies to suppliers handling critical national security information and requires government-led assessments.

The supply-chain ripple effect is massive. Prime contractors such as Lockheed Martin, Boeing, and General Dynamics must ensure every subcontractor and sub-subcontractor in their supply chain is certified. Procurement is the function that collects certification evidence, manages non-compliance risks, and prevents uncertified vendors from being awarded contracts. CMMC clauses must flow down through every tier of the supply chain, and procurement systems must enforce certification requirements at the point of supplier onboarding.

DORA — Europe's Digital Operational Resilience Act

Effective January 17, 2025, the EU's Digital Operational Resilience Act (DORA) applies to 22,000+ financial sector entities across the EU and imposes one of the most stringent third-party risk management regimes ever enacted . DORA requires financial institutions to manage ICT third-party risk through a structured framework that includes: contractual provisions for performance targets, termination rights, and sub-contractor cascading; independent assessments and audit rights for critical ICT third-party service providers (CTPPs); and threat-led penetration testing (TLPT) of critical suppliers at least every three years.

The European Supervisory Authorities designated the first set of critical ICT third-party providers in 2025, placing them under direct regulatory oversight . For procurement teams in financial services — and for the suppliers that serve them — DORA is not a compliance exercise. It is a contractual and operational mandate. Every ICT vendor contract must include DORA-mandated provisions. Sub-contractor chains must be mapped and monitored. And procurement must maintain a register of all ICT third-party arrangements, updated continuously.

The Procurement Blind Spot: Fourth-Party Risk

The most dangerous gap in most TPRM programs is the fourth party — the sub-tier vendor that your supplier has contracted, which you have never assessed. The Change Healthcare breach originated in a subsidiary's third-party software. The SolarWinds attack exploited the build environment of a sub-tier component. The 2024 PandaBuy breach exposed the data of 1.3 million users via a compromised third-party service provider's cloud infrastructure .

McKinsey research has found that while most organizations have strong visibility into Tier-1 suppliers (approximately 95%), that number collapses to roughly 42% or less beyond Tier-2 . The sub-tier problem is not merely a visibility gap — it is a contractual gap. Most procurement contracts do not contain flow-down provisions requiring the supplier to ensure its own subcontractors meet the same security standards. Without these clauses, the buying organization has no contractual recourse when a fourth-party breach occurs.

Vendor Cyber Assessment Frameworks: What Works and What Does Not

The traditional vendor cyber assessment — a long-form questionnaire sent annually, filled out by the supplier's sales team, and filed away without follow-up — is the security equivalent of a paper shredder that has never been plugged in. The Shared Assessments Program's Standardized Information Gathering (SIG) questionnaire, while comprehensive, typically runs 400+ questions and creates a unsustainable workload for both procurement teams and suppliers .

Leading organizations are moving to a tiered assessment model:

1. Tier 1 — Low-risk vendors. Automated external attack surface scanning (e.g., SecurityScorecard, BitSight) and dark web monitoring replace questionnaires entirely. If the supplier's external security rating falls below a threshold, the relationship is escalated. SecurityScorecard rates over 12 million companies across A–F grades based on 10 risk factor groups including network security, DNS health, patching cadence, and hacker chatter .
2. Tier 2 — Moderate-risk vendors. A lightweight assessment combining automated scanning with a focused questionnaire (SIG Lite or equivalent) covering the highest-risk control families — access management, incident response, encryption, and vendor security program governance. This replaces the full SIG questionnaire with targeted verification.
3. Tier 3 — Critical and high-risk vendors. Full assessment including SIG questionnaire, evidence review, and a live assessment or penetration test by internal or independent assessors. Contracts require SOC 2 Type II, ISO 27001, or NIST SP 800-171 certification. Continuous posture monitoring via security rating services is mandatory. On-site or virtual validation occurs at a frequency determined by risk level — typically annually for critical vendors, with continuous monitoring between assessment cycles.

BitSight, one of the leading security rating platforms, monitors over 200,000 organizations and provides risk scores based on externally observable data including botnet infections, spam propagation, open port exposure, and SSL/TLS certificate strength . The platform integrates with procurement systems including SAP Ariba and ServiceNow Vendor Risk Management to push scores directly into sourcing and supplier management workflows.

Cyber Clauses in Procurement Contracts: The Minimum Viable Baseline

If your procurement contracts do not contain enforceable cybersecurity provisions, you do not have a TPRM program — you have a hope-based risk acceptance strategy. The following clauses should appear in every supplier agreement that involves any degree of data access, system connectivity, or software dependency:

1. Minimum security standards. A clearly defined security baseline referencing a recognized framework — NIST SP 800-171 for defense contractors, ISO 27001 for general commercial suppliers, or the HITRUST Common Security Framework for healthcare. The clause should require the supplier to maintain compliance throughout the contract term and provide evidence upon request.
2. Breach notification. Maximum notification timeline, typically 24 to 72 hours, with mandatory disclosure of breach scope, data types affected, and remediation plan. The SEC's four-business-day requirement for material incidents should be the floor, not the ceiling — 24 hours is increasingly the market standard for critical vendors.
3. Audit and assessment rights. The right to conduct on-site assessments, request penetration test results, require independent security audits, and review evidence of continuous compliance at any time with reasonable notice. Under DORA, this right is non-negotiable for critical ICT providers.
4. Subcontractor flow-down. A provision requiring the supplier to impose identical security obligations on all sub-contractors and fourth-party vendors. Without flow-down, fourth-party risk is unmanaged contractual risk.
5. Cybersecurity insurance minimums. Minimum coverage thresholds — typically $5 million to $10 million per occurrence for cyber liability and errors & omissions, with the buying organization named as an additional insured. Certificates of insurance should be required annually.
6. Data handling and protection. Specific requirements for data encryption (at rest and in transit), data retention and disposal, access controls, multi-factor authentication, and geographic data residency restrictions where applicable.
7. Termination for cause on security grounds. The right to terminate the contract immediately, without penalty, if the supplier suffers a material breach of security obligations, fails a critical compliance assessment, or experiences a security incident that materially impacts the buying organization.

The International Association of Privacy Professionals notes that the 2024–2025 contracting cycle has seen a significant increase in both the specificity and enforceability of cybersecurity contract provisions, driven largely by the SEC rules and DORA . Procurement legal teams that have not updated their standard boilerplate since 2023 are running material uncorrected risk.

Continuous Monitoring vs. Point-in-Time Assessments

The single most important shift in third-party cyber risk management is the move from point-in-time assessment to continuous monitoring. An annual questionnaire tells you what a vendor's security posture looked like on the day they filled it out — which could be 11 months before a breach occurs. Continuous monitoring tells you what the vendor's posture looks like right now.

Security rating services such as BitSight, SecurityScorecard, and UpGuard provide continuously updated security ratings based on externally observable data — scan findings, configuration changes, certificate expirations, dark web exposure, and breach notifications . Gartner has identified continuous security rating monitoring as a core component of any enterprise TPRM program, projecting that by 2026, 70% of large enterprises will use security ratings as a primary vendor risk assessment method, up from 30% in 2022 .

The business case for continuous monitoring is straightforward. The average dwell time of a supply chain attacker — the period from initial compromise to detection — was 254 days in 2024, according to the Verizon Data Breach Investigations Report . A point-in-time assessment performed 11 months before detection provides zero defense against an attacker who has already been in the environment for eight months. Continuous monitoring, by contrast, can detect configuration drift, credential exposure, and anomalous network behavior in near-real time.

Insurance Implications: When Cyber Premiums Reflect Procurement Practices

The cyber insurance market has undergone a structural transformation since the 2021 ransomware wave, and third-party risk is now a central underwriting factor. Insurers including Aon, Marsh, and Chubb increasingly require policyholders to demonstrate a mature TPRM program — including continuous monitoring of critical suppliers — as a condition of coverage or premium pricing .

Marsh's 2024 Cyber Insurance Market report found that organizations with documented vendor risk assessment processes, contractual cyber clauses, and continuous monitoring programs saw average premium reductions of 12–18% compared to peers without structured TPRM programs . Conversely, organizations that could not demonstrate vendor due diligence processes faced premium increases of 25–40% or, in some cases, denial of coverage for supply-chain-related claims.

The insurance underwriting question has shifted from "do you have cyber insurance for your suppliers?" to "can you demonstrate that your procurement function systematically assesses, contracts for, and monitors supplier cyber risk?" Procurement teams that answer poorly drive up their organization's risk premium — not just the cost of insurance but the cost of capital across the enterprise.

Building a TPRM Program Integrated with Procurement Workflows

An effective TPRM program cannot live in a cybersecurity silo. It must be embedded into the procurement lifecycle — from supplier identification through onboarding, sourcing, contracting, ongoing management, and offboarding. Here is the architecture leading organizations are deploying:

1. Pre-contract vendor cyber screening. Security ratings, dark web exposure, and public breach history are checked before the supplier enters the formal sourcing pipeline. Minimum security thresholds are enforced at the RFP stage — suppliers that fall below the threshold are disqualified before procurement teams invest resource in negotiation.
2. Contractual cyber baseline embedded in standard terms. Every supplier agreement includes the seven minimum cyber clauses described above. Legal and procurement maintain a single, approved template that cannot be modified without risk committee escalation.
3. Continuous monitoring via security rating APIs. SecurityScorecard, BitSight, or UpGuard ratings are pulled automatically into the supplier management system. Threshold breaches trigger automated alerts to both procurement and the CISO. Supplier risk scores are visible in the same dashboard as financial health, ESG, and operational metrics.
4. Tiered reassessment frequency. Critical vendors (Tier 3) undergo full reassessment every 12 months with continuous monitoring between cycles. Moderate-risk vendors (Tier 2) are reassessed every 24 months. Low-risk vendors (Tier 1) are monitored continuously via external scanning with no formal reassessment unless a risk threshold is breached.
5. Incident response integration. When a supplier breach is detected — whether via security rating alert, supplier notification, or public disclosure — a predefined incident response playbook is triggered. Procurement leads the contractual response (notification enforcement, remediation timeline, insurance claim activation) while the CISO team leads the technical response.
6. Offboarding with data assurance. When a supplier relationship ends, procurement must verify that the supplier has destroyed or returned all sensitive data per contract terms. Security rating services are monitored for post-termination exposure — an increasingly common vector for residual breach risk.

The Procurement Mandate

The question is no longer whether procurement should own third-party cyber risk. The SEC, the DoD, and EU regulators have answered that question. The question is whether procurement organizations will build the capabilities to own it well.

The CPOs who succeed will treat cyber risk management as a core procurement competency — not a security function that procurement supports. They will embed cyber screening into sourcing workflows, enforce contractual cyber clauses as rigorously as payment terms, deploy continuous monitoring across their supplier portfolios, and integrate TPRM into the procurement lifecycle from RFI to offboarding. They will build the data infrastructure to answer the board's question — "which of our suppliers could take us down?" — with evidence, not guesswork.

The suppliers that survive the coming compliance wave will be the ones that invest in cybersecurity certifications, provide evidence of continuous monitoring, and treat security as a competitive differentiator in procurement evaluations. The suppliers that do not will be systematically pruned from procurement portfolios — not because of a single breach, but because the CPO will have no choice.

Regulation, after all, is the most powerful catalyst procurement has. And the regulation has arrived.