What is supply chain security risk and mitigation?

• A. Internal risks only; suppliers are not considered.
• B. Risks from third-party suppliers; mitigation: vendor risk assessments, SBOMs, security requirements, monitoring.
• C. Risks related to supply chain of physical goods; mitigation is insurance alone.
• D. SBOMs are not helpful for mitigation.

Answer: (B)

Supply chain security risk arises from external vendors and third‑party suppliers whose components, software, or services your organization relies on. It’s not limited to what happens inside your own walls. The best answer recognizes these external sources and proposes a layered mitigation: perform vendor risk assessments to understand each supplier’s security posture, require security controls through formal security requirements in contracts, use SBOMs to know exactly which components and libraries are in use and to identify known vulnerabilities, and establish ongoing monitoring to catch new or evolving risks. This combination directly addresses how risk enters the organization and how to respond as conditions change.

Why this fits better than the other options: focusing only on internal risks ignores the external links in the chain; limiting risk to physical goods and insurance relies on a transfer or a single compensatory measure rather than proactive security controls; and SBOMs are a practical tool for visibility and vulnerability management, not something to dismiss for mitigation.