Domain 6: Legal, Risk & Compliance Module 70 of 70

Module 70: Vendor Management and Supply Chain Security

CCSP Domain 6 — Legal, Risk & Compliance Section C 6 min read
The CCSP exam views vendor management as ongoing risk management, not a one-time procurement activity. Selecting a cloud provider is the beginning of vendor management, not the end. The exam tests whether you continuously monitor, evaluate, and govern your cloud provider relationships.

Vendor Management Lifecycle

The CCSP exam tests vendor management as a continuous lifecycle:

Selection and Due Diligence

Covered in Module 69, the selection phase evaluates providers against security, compliance, and business requirements. The exam expects a structured evaluation process using weighted criteria, not informal preference.

Onboarding

After selection, the onboarding phase establishes the operational relationship: configuring integrations, establishing communication channels, defining escalation paths, and setting baseline performance metrics. The exam tests whether security requirements are implemented during onboarding, not deferred.

Ongoing Monitoring

The bulk of vendor management occurs during the relationship. The exam tests continuous monitoring activities:

  • Regular review of SLA performance against agreed metrics
  • Annual review of audit reports (SOC 2, ISO certifications)
  • Monitoring provider security advisories and incident disclosures
  • Tracking subcontractor changes and their security implications
  • Evaluating provider financial health and business continuity

Offboarding

Covered in Module 69, the termination phase requires data return, deletion verification, and transition management. The exam tests whether offboarding is planned from the start.

Exam trap: If a question describes an organization that evaluates a cloud provider at selection but never reassesses their security posture, the answer is inadequate vendor management. Selection-only evaluation ignores changes that occur after the contract is signed.

Supply Chain Security in Cloud

Cloud supply chains are complex. Your cloud provider depends on hardware manufacturers, network providers, software vendors, and subprocessors. A vulnerability anywhere in this chain can affect your data. The CCSP exam tests supply chain security awareness for cloud environments.

Supply Chain Risk Identification

  • Hardware supply chain: Compromised hardware components (chips, firmware) in the CSP's infrastructure could affect all tenants. The exam tests whether you consider hardware integrity assurance from the CSP.
  • Software supply chain: Third-party libraries, open-source components, and container images introduce vulnerabilities. The exam tests whether you verify the integrity of software dependencies.
  • Service supply chain: APIs, microservices, and integrations create dependencies on external services. A failure in one service can cascade through connected systems.

Third-Party Risk Management Programs

The exam expects organizations to have a formal third-party risk management (TPRM) program that includes cloud providers:

  • Risk tiering: Classify vendors by the risk they pose. Cloud providers hosting critical data are high-risk vendors requiring the most rigorous oversight.
  • Assessment frequency: High-risk vendors are assessed more frequently. The exam tests whether assessment frequency matches risk tier.
  • Contractual requirements: Security requirements flow through contracts to vendors and their subcontractors.
  • Incident coordination: Clear procedures for when a vendor experiences a security incident affecting your data.

Concentration Risk

The exam tests concentration risk — excessive dependence on a single provider. If all critical systems run on one cloud provider and that provider experiences a major outage or goes bankrupt, the business impact is catastrophic. The exam expects you to evaluate and manage concentration risk through multi-cloud strategies or cloud-agnostic architectures.

AI Supply Chain Considerations

The updated CCSP outline includes AI-related supply chain risks. Cloud-based AI services use training data, model architectures, and inference infrastructure that introduce unique supply chain concerns: data poisoning in training sets, model supply chain attacks (compromised pre-trained models), and dependency on AI chipsets from specific manufacturers. The exam expects awareness of these emerging risks.

Vendor Lock-In

Lock-in occurs when switching costs make it prohibitively expensive to change providers. The exam tests strategies to mitigate lock-in:

  • Using open standards and portable formats
  • Avoiding proprietary services without migration paths
  • Maintaining exit-ready architecture
  • Regularly testing data export and portability

Common Exam Traps

  • One-time vendor evaluation: Vendor management is ongoing, not a selection-only activity.
  • Ignoring the supply chain: Your provider's security depends on their suppliers' security.
  • Single provider dependency: Concentration risk should be assessed and managed.
  • Assuming vendor compliance: Contractual requirements must be verified through audits and monitoring.

Key Takeaways for the Exam

Vendor management is a continuous lifecycle from selection through offboarding. Cloud supply chains include hardware, software, and service dependencies. Third-party risk management programs should classify cloud providers by risk tier. Concentration risk from single-provider dependency must be assessed. AI introduces new supply chain risks. Vendor lock-in is mitigated through open standards, portable formats, and exit-ready architecture. Ongoing monitoring — not just initial evaluation — defines effective vendor management.

Next Module Section C Review: Contracts & Vendors