In today's interconnected digital landscape, we recognise the intricate interdependencies and complexities that exist within the software supply chain security ecosystem. In recent years, the number of software supply chain security (SSCS) attacks has increased exponentially due to:
As a result, SSCS has emerged as the new frontier in Third-Party Risk Management. Further, regulatory scrutiny on SSCS has been steadily rising, and most organisations are not adequately mature enough to manage software supply chain risk and regulatory expectations effectively. We aim to provide a service that helps organisations align their SSCS programme with industry-leading practices and meet regulatory requirements such as EO-140281, DHS Risk Management Act 20212, FDA3, NCSC – Supply Chain Security Guidance4, ENSIA5, DORA6, CRA7, SEBI8, ACSC Cyber Supply Chain Risk Management Guidelines9, MAS10.
Software Supplier Chain Security Use Cases
Note: Multiple use cases may apply to a given organisation. The use cases enlisted are not mutually exclusive and can overlap depending on the organisation’s role.
- Software consumer
- Software builder
- Software publisher
Software consumers are entities or individuals who use software that is built or published by others.
Current solutions and limitations:
Software builders are organisations or individuals who build in-house software for their own use.
Current solutions and limitations:
Software publishers are organisations or individuals who develop and distribute software to consumers or other businesses.
Current solutions and limitations:
How can we help?
KPMG in India has developed an industry-leading SSCS service capability along with Lineaje (our technology alliance partner) to help drive operational efficiencies and a better end-user experience in assessing and managing security risk throughout the software supply chain pipeline.
-
SSCS programme maturity assessment against industry-leading practices and regulatory requirements such as NIST 800-218, BS IMM, EO14028, DHS, DORA, CRA, etc
-
Design and/or uplift
SSCS framework including policy, procedure, standards, and RACI matrix
Open-source management policy
SSCS risk assessment control inventory
-
Perform SSCS risk assessment including SBOM based on defined control inventory
-
Generate and maintain SBOM (Using Lineaje Platform)
Generate SBOM from source code (as-sourced), artifactory (as-built), and containers (as-deployed) and all dependencies including open-source chain and third-party
Update SBOM automatically for each release (major/minor/patches)
-
Assess and monitor open-source code/system
For well-maintained code: Analyse, prioritise and coordinate with the developer to fix the vulnerable components
For unmaintained: Analyse, prioritise, and drive developer fixes the vulnerable code/components
-
Assess and monitor proprietary code: Analyse, prioritise, and coordinate with the developer to fix the vulnerable code/components
-
Remediation management
Log, track, and monitor the identified vulnerabilities, issues, and associated risks related to software products and their supply chains
Manage coordination with the developer to ensure the implementation of adequate control(s) to close the identified gap(s)
Thought Leadership
Our Partnership
Know about KPMG & Lineaje’s Partnership
Key Contacts
To know more about how we at KPMG in India can help your clients build their TPRM programs, please connect with us.
Kunal Pande
National Leader - Digital Trust for Financial Services Sector, National Co-Head - Digital Risk and Cyber
KPMG in India
[1] EO-14028- Executive Order 14028
[2] DHS Risk Management Act 2021- Department of Homeland Security Risk Management
[3] FDA- Food and Drug Administration
[4] NCSC – Supply Chain Security Guidance- National Cyber Security Centre Supply Chain Security Guidance
[5] ENSIA- European Network and Information Security Agency
[6] DORA- Digital Operational Resilience Act
[7] CRA- Cyber Resilience Act
[8] SEBI- Securities and Exchange Board of India
[9] ACSC Cyber Supply Chain Risk Management Guidelines- Australian Cyber Security Centre Cyber Supply Chain Risk Management
[10] MAS- Monetary Authority of Singapore
[11] SBOM- Software Bill of Materials
[12] VEX- Vulnerability Exploitability eXchange
[13] CSAF- Common Security Advisory Framework