--- url: "https://xcademia.com/courses/supply-chain-and-third-party-cyber-threat-management" title: "Supply Chain and Third-Party Cyber Threat Management" description: "Three-day practitioner supply chain security training. Covers NIS2 third-party risk, SBOM, SCA, vendor assessment, and supply chain compromise response" publishedAt: "2026-04-10T11:54:59.630098+00:00" updatedAt: "2026-04-29T06:05:12.689148+00:00" type: course code: "CYB-0150" level: Practitioner duration_days: "3" track: "Cyber Warfare & Advanced Threat Defence" category: "Cybersecurity & Ethical Hacking" credential_tier: tier1 price_gbp: "3495" --- # Supply Chain and Third-Party Cyber Threat Management > A practitioner programme covering the detection, assessment, and management of nation-state supply chain threats targeting software, hardware, and trusted vendor access channels. Develop the skills to build a vendor security assessment programme, generate and analyse Software Bills of Materials, apply NIS2 supply chain obligations, and respond to a supply chain compromise without disrupting operations. ## Overview State-aligned actors pre-position inside software supply chains during periods of relative geopolitical calm, waiting for the strategic moment to activate embedded capabilities. SolarWinds, XZ Utils, and dozens of smaller incidents have demonstrated that trusted software and legitimate vendor access are now primary attack vectors for nation-state actors. Healthcare, manufacturing, defence supply chains, and financial services face the highest exposure. Over three mentor-led days, participants assess and score third-party cyber risk in a nation-state threat context, identify supply chain implant indicators in software and hardware, design a vendor security assessment programme aligned to NIS2 and NCSC CAF, apply software composition analysis tooling to identify supply chain vulnerabilities, generate and interpret Software Bills of Materials, and develop response procedures for supply chain compromise situations. The programme concludes with a capstone supply chain compromise investigation: participants receive a simulated compromise scenario, identify the scope, execute containment without disrupting operations, and produce a NIS2-compliant regulatory notification. This course is aligned with NIS2 ICT third-party risk obligations, NCSC supply chain guidance, SBOM standards including SPDX and CycloneDX, and software composition analysis industry practice. ## Prerequisites - Professional experience in procurement, vendor management, software security, or third-party risk management. - Basic understanding of software development lifecycle concepts and network security fundamentals. - Familiarity with regulatory compliance concepts in a technology or business risk management context. ## What you will learn - Assess and score third-party cyber risk in the context of nation-state supply chain targeting methodologies. - Identify supply chain implant indicators in software, hardware, and vendor access telemetry. - Design a vendor security assessment programme aligned to NIS2 and NCSC CAF requirements. - Generate and analyse a Software Bill of Materials for an application or dependency set. - Integrate software composition analysis into CI/CD pipelines for continuous supply chain security. - Respond to a supply chain compromise: scope identification, containment, and regulatory notification production. - Implement NIS2 ICT third-party risk obligations within a practical vendor security programme. ## Skills you will gain - Third-party risk scoring and tiering - SBOM generation and analysis - Software composition analysis - NIS2 supply chain compliance - Vendor security questionnaire design - Supply chain compromise investigation - NIS2 regulatory notification production - SCA CI/CD pipeline integration - Vendor audit methodology - Hardware and firmware integrity assessment ## Career progression - Third-Party Risk Manager - Procurement Security Lead - Software Security Engineer - Supply Chain Security Specialist - IT Director - CISO ## Curriculum 1. **Module 1: Getting Ready** - Pre-reading: NCSC supply chain guidance and NIS2 ICT third-party risk management requirements - Introduction to software composition analysis concepts and SBOM format standards - Accessing course resources, SCA lab environment, and supply chain threat intelligence datasets - Course objectives, supply chain security knowledge baseline assessment, and pathway alignment 2. **Module 2: Anatomy of a Nation-State Supply Chain Attack** - State-aligned actors pre-positioning inside trusted software supply chains during geopolitical calm periods - SolarWinds: how the Orion build system was compromised and approximately 18,000 organisations affected - XZ Utils backdoor: a two-year patient infiltration of an open-source maintainer community - Hardware implants and firmware tampering: supply chain compromise at the physical and firmware layer - Common patterns across documented nation-state supply chain attacks and the indicators they leave 3. **Module 3: Trusted Vendor Access as an Attack Vector** - How nation-state actors pivot through legitimate vendor access channels to reach high-value target networks - Remote access abuse: vendor portal compromise, session hijacking, and jump server exploitation - IT service provider credential theft: targeting managed service providers to reach their customer base - Mapping your organisation's vendor access exposure by access level, network zone, and data sensitivity - Reducing the blast radius of a vendor compromise before it occurs through access control design 4. **Module 4: Sector Exposure and Targeting Analysis** - Healthcare, manufacturing, and financial services: the sectors most exposed to supply chain compromise - Defence supply chain: hardware provenance requirements and firmware integrity obligations - Government supply chain: the specific risk profile of IT service provider compromise in public sector - Technology sector: open-source dependency risk at enterprise scale and maintainer targeting - Mapping your organisation's supply chain exposure by sector classification, vendor tier, and criticality 5. **Module 5: Third-Party Risk Assessment Methodology** - Vendor risk scoring: assessing third parties by access level, data sensitivity, and network criticality - Tiering vendors: high, medium, and low risk categories with proportionate assessment requirements - Continuous monitoring of supplier security posture: what signals to watch and how to operationalise - Reducing reliance on adversary-linked vendors: geopolitical risk assessment in procurement decisions - Workshop: score a set of simulated vendor profiles using the risk assessment scoring framework 6. **Module 6: NIS2 Supply Chain Obligations in Practice** - NIS2 essential and important entity ICT supply chain risk management requirements - Contractual security clauses: what NIS2 demands organisations include in supplier agreements - Vendor audit rights and security assessment obligations under NIS2 for essential entities - Incident notification obligations when a supply chain compromise affects a NIS2-regulated organisation - Practical exercise: conduct a NIS2 supply chain compliance gap assessment for a simulated organisation 7. **Module 7: Software Bill of Materials: Generation and Analysis** - What an SBOM is and why it is the operational foundation of software supply chain security - SBOM format standards: SPDX and CycloneDX — structure, tooling, and exchange protocols - Generating an SBOM for a sample application using open-source and commercial tooling - Analysing an SBOM to identify known vulnerabilities, adversary-linked components, and licence risks - Using SBOMs as a continuous monitoring tool: tracking new CVEs against existing dependency inventories 8. **Module 8: Software Composition Analysis Tools and CI/CD Integration** - SCA tool categories: open-source options and commercial platforms with enterprise capabilities - Integrating SCA into CI/CD pipelines for continuous, automated supply chain vulnerability detection - Identifying and triaging high-severity supply chain vulnerabilities before production deployment - Managing SCA findings at scale: triage workflows, remediation prioritisation, and acceptable risk decisions - Hands-on lab: run SCA against a sample application codebase and produce a structured findings report 9. **Module 9: Vendor Security Questionnaire Design** - What makes a vendor security questionnaire operationally effective rather than a compliance tick-box exercise - Tailoring questionnaire depth and scope to vendor risk tier and level of access - Red flags in vendor security responses: indicators of inadequate or misrepresented security posture - On-site and remote audit processes for high-risk strategic vendors requiring deeper assurance - Scoring, benchmarking, and tracking vendor security posture improvements over time 10. **Module 10: Incident Response for Supply Chain Compromise** - Detecting and confirming a supply chain compromise: evidence collection without tipping off the attacker - Isolating affected systems and components without disrupting supply chain-dependent operations - Communicating with customers and downstream partners affected by a supplier compromise - Legal obligations and privilege considerations in supply chain incident response documentation - Rebuilding software trust after a confirmed supply chain compromise: validation and re-certification processes 11. **Module 11: Capstone: Supply Chain Compromise Investigation** - Receive a simulated supply chain compromise scenario for a critical sector organisation - Identify the full scope of compromise: affected systems, data, and downstream customer exposure - Execute containment strategy without disrupting supply chain-dependent operational processes - Produce a NIS2-aligned regulatory notification within the defined exercise time window - Full instructor debrief: investigation methodology review and regulatory notification quality assessment ## Exam & certification You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations. ## Delivery options - **Live Online** — Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible. - **Onsite Training** — We come to you. Training delivered at your workplace for teams of 6 or more. - **Venue-Based** — Classroom training at a professional venue. Ideal for focused, immersive learning. - **Blended** — Combine online and in-person learning for maximum flexibility and impact. ## Frequently asked questions **1. Who is this course designed for?** Procurement leads, third-party risk managers, vendor security teams, software security engineers, and IT directors responsible for supply chain security and ICT vendor risk management. **2. Do I need a software development background?** No. The SCA and SBOM practicals are taught from first principles and are accessible to procurement and risk management professionals alongside technical participants. **3. How is NIS2 supply chain compliance covered?** NIS2 essential entity supply chain obligations, contractual requirements, vendor audit rights, and incident notification requirements are covered in a dedicated session with a practical gap assessment exercise. **4. What do I leave with?** A Certificate of Achievement, a completed SCA findings report, an SBOM analysis output, a vendor risk assessment from the workshop, and a capstone regulatory notification document. **5. Does this course need an exam?** No. Assessment is through practical labs and the Day 3 capstone investigation and notification exercise. Completion requires full attendance and successful capstone delivery. ## Course at a glance | Field | Value | | --- | --- | | Code | CYB-0150 | | Duration | 3 days | | Level | Practitioner | | Track | Cyber Warfare & Advanced Threat Defence | | Category | Cybersecurity & Ethical Hacking | | Credential tier | tier1 | | Price (GBP) | £3495 | --- ## About this content This Markdown course profile is the citation-grade twin of [Supply Chain and Third-Party Cyber Threat Management](https://xcademia.com/courses/supply-chain-and-third-party-cyber-threat-management). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite. When citing or quoting, please attribute *Xcademia* and link back to the source URL above. - Source: https://xcademia.com/courses/supply-chain-and-third-party-cyber-threat-management - Publisher: Xcademia — https://xcademia.com - Catalogue index: https://xcademia.com/llms-full.txt