CISO Budget Builder
Back to KPI Dashboard

Supply Chain Risk Score

Aggregate risk rating of the software and hardware supply chain, measuring exposure from open source dependencies, SaaS vendors, and third-party code

Budget Domain: Supply Chain Security
Adjust in Budget Calculator →

Industry Benchmark

3.2/5

+10.3% from previous period

Industry average: 2.8/5

Calculation Method

Weighted average of: software dependency risk (SCA findings per 1K LOC), critical vendor assessment scores, SBOM coverage rate, and open source health metrics — normalized to a 1–5 scale where 5 = lowest risk

Significance

Supply chain attacks (SolarWinds, XZ Utils, Log4Shell) have become the preferred entry vector for nation-state actors. CISA, NSA, and SEC now mandate supply chain risk visibility as a board-level concern.

What is Supply Chain Risk?

Supply Chain Risk encompasses threats introduced through external software components, hardware, and service providers — including open source libraries, commercial off-the-shelf software, cloud services, and physical hardware with embedded firmware. It spans both intentional tampering (malicious packages) and unintentional exposure (unpatched dependencies).

Risk categories

  • Software dependencies — Vulnerable or malicious npm/PyPI/Maven packages
  • SaaS vendor risk — Vendor breach propagating to your data via API integrations
  • CI/CD pipeline integrity — Build pipeline compromise injecting backdoors
  • Hardware supply chain — Counterfeit or tampered hardware components
  • Open source health — Unmaintained or abandoned dependencies

Why it matters in 2026

Attack vector growth: Software supply chain attacks increased 742% between 2019 and 2025 (Sonatype). The average enterprise has 94% of its software composed of open source.

Regulatory mandate: US Executive Order 14028 and EU Cyber Resilience Act require SBOMs (Software Bill of Materials) for software sold to government and critical infrastructure.

SBOM adoption: Organizations with SBOM programs detect supply chain compromises 68% faster than those without (CISA 2025).

Score interpretation (1–5 scale)

  • 1.0–2.0: High risk — no SBOM, no SCA, unvetted dependencies in production
  • 2.1–3.0: Moderate risk — basic SCA tooling, partial vendor assessments
  • 3.1–4.0: Managed risk — SBOM in place, continuous monitoring, vendor risk program
  • 4.1–5.0: Low risk — automated SBOM, signed artifacts, pipeline integrity attestation