You Can’t Patch Your Supply Chain So Why Treat It Like a Vulnerability Problem?

For years, vulnerability management has followed a familiar pattern: discover assets, scan for CVEs, prioritize by severity, and remediate what you can. 

That model works, at least within the boundaries of systems you own. 

The problem is that most organizations no longer operate within those boundaries. 

Federal agencies especially depend on a complex ecosystem of SaaS platforms, software vendors, contractors, and open-source components. That ecosystem is the modern supply chain, and it’s quietly become one of the largest contributors to organizational risk. 

The cause? Many organizations attempt to secure this supply chain using the same tactics and strategies they used with their traditional vulnerability management program. That’s where things start to break down. 

The False Assumption: Treating Supply Chain Risk Like a Vulnerability Problem 

Traditional vulnerability management was designed for environments where ownership and control were clear. You knew what systems you operated and scanned those assets for vulnerabilities. You could patch them, put in place compensating controls, and make reasonably informed decisions based on technical severity. 

None of that translates cleanly to the supply chain. 

When an agency relies on a SaaS provider, a managed platform, or a vendor-delivered application, the lines of control become blurred. You don’t dictate how those systems are configured. You don’t control their patch cycles. And in many cases, you don’t even have full visibility into how they’re built. The “shared responsibility” model can be challenging.  

Despite this, many security approaches continue to apply familiar processes. They often rely on scanning, cataloging, and reporting vulnerabilities tied to third-party components. It’s a logical extension of what teams already know, but it leads to the predictable outcome of more findings and more reports without any meaningful change in risk. 

The Reality: Most Supply Chain Exposures Are Unpatchable 

In a federal environment, a growing portion of the attack surface exists outside direct operational control. As we alluded to previously, mission critical systems increasingly rely on SaaS platforms, identity providers, external APIs, and software that includes layers of third-party and open-source components. 

The exposures that come with these dependencies rarely look like traditional patching problems. They take the form of misconfigurations in shared responsibility models, overly permissive identity relationships, or indirect access paths created through integrations. In some cases, the vulnerability exists deep within a vendor’s software stack, making it completely out of the reach or control of the organization consuming it. 

What makes this especially challenging is that these exposures exist across assets an organization depends on, not just assets it owns. Deep integration into customer-owned systems also exacerbates the risk and exposure. That distinction expands the attack surface in ways that traditional vulnerability management was never designed to address. 

Why Compliance-Driven Supply Chain Security Falls Short 

In response to this growing risk, many organizations have leaned into compliance-driven approaches. SBOMs, vendor questionnaires, and inherited controls have become central to supply chain security efforts, particularly in the public sector. 

These mechanisms serve an important purpose. They improve visibility into dependencies and create a baseline level of accountability. But they don’t operationalize reducing risk. 

A Software Bill of Materials (SBOM) can tell you which components are present in a piece of software. A vendor attestation can describe how security is managed in theory. Neither, however, tells you whether a specific weakness can be used to impact your environment today. 

This is where many programs lose momentum. They answer the inventory question, “What are we using?” but fall short of answering the operational one, “What actually matters right now?” 

To complicate matters even more, the data needed to answer that second question is rarely centralized. It lives across vulnerability scanners, asset inventories, cloud platforms, identity systems, and third-party feeds. Without a way to bring that information together and apply consistent context, decision-making becomes fragmented and often reactive. 

Exposure Management Reframes the Supply Chain Problem 

Taking a broader exposure management approach introduces a different and more aligned way to think about supply chain risk. 

Instead of focusing on what vulnerabilities exist in isolation, it asks a more practical set of questions: 

• Which weaknesses are reachable in the environment?
• Which ones are realistically exploitable given existing controls?
• Which of those would have a meaningful impact on mission or operations? 

This shift broadens the definition of what constitutes risk. It’s no longer limited to CVEs. Misconfigurations, identity exposures, control gaps, and third-party dependencies all become part of the picture. 

More importantly, exposure management brings context into the equation. It considers critical factors like how assets are connected, how they’re accessed, and how they support the business. That context is what allows teams to move beyond the realm of theoretical risk to focus on practical and actionable steps. 

For supply chain security, this is a critical distinction. It provides a way to translate external dependencies into internal risk decisions. 

Connecting Supply Chain Risk to Real Exposure 

Most organizations already have some level of visibility into their supply chain. They know which vendors they rely on and, in many cases, which components are present in their software. It’s a much harder problem to understand how those dependencies interact with the rest of the environment. 

A vulnerability in a third-party component may or may not be relevant, depending on where it resides and how it can be reached. A SaaS integration may introduce risk not because of the platform itself, but because of the permissions it holds within the organization. 

Answering these questions requires a deeper understanding of how systems, identities, and data are connected. They can’t be answered through static analysis alone. The organizations that apply a continuous cycle of discovery, prioritization, validation, and mobilization around exposures (think CTEM) can begin to evaluate supply chain risk beyond theoretical weaknesses or unmanageable lists. 

From “Fix Everything” to “Reduce What Matters” 

One of the more difficult transitions for teams is moving away from the idea that every identified issue needs to be fixed. Too often, teams mistake activity for progress, and here is no exception. 

In the supply chain, that mindset simply isn’t practical. 

You cannot patch a vendor’s system, and you cannot eliminate every dependency. Attempting to do so leads to backlogs, fatigue, and ultimately a loss of confidence in the process. 

A more effective approach is to focus on reducing the exposures that are most likely to impact the organization. 

In practice, that often means looking beyond traditional remediation. It may involve tightening access controls, adjusting trust relationships, or introducing monitoring that can detect and contain suspicious activity. It also requires a more disciplined approach to prioritization, forcing you to account for exploitability and business impact. 

The goal of this mindset is to make the organization materially harder to compromise, even in the presence of unavoidable risk. 

What This Means for Public Sector Organizations 

Federal agencies operate in an environment where supply chain risk is both a security concern and a compliance requirement. Federal agencies are responding to directives such as EO 14028, OMB Zero Trust guidance, and CISA’s numerous Cybersecurity Directives, all of which increase expectations for asset visibility, vulnerability awareness, and timely remediation. 

At the same time, the underlying operational challenges of complex environments, widespread dependencies, and finite resources remain. This has led to a familiar pattern: increased reporting with limited improvement in security outcomes. In practice, agencies often aggregate data from dozens of tools, each producing overlapping or incomplete views of risk. The result is an increase in reporting volume without a corresponding improvement in prioritization or remediation outcomes. 

Exposure management offers a way to move beyond that pattern. It aligns more closely with Zero Trust principles, particularly the emphasis on verifying access and limiting reachability. It also supports the shift toward continuous monitoring and risk-based decision-making. 

Perhaps most importantly, it provides a framework for turning supply chain visibility into something actionable. This enables agencies to measure progress through risk reduction over time, SLA performance, and the reduction of exposure windows, not just the number of findings reported. 

Where Should We Start? Evolving Beyond Vulnerability Management 

The shift we’ve talked about throughout this article doesn’t require starting from scratch. Most organizations already have many of the necessary components in place and, frankly, starting anew isn’t viable for more organizations, public or private sector. 

1. The first step is bringing data together. Combining internal exposure data with external signals related to third-party risk is essential. From there, the focus should be on mapping dependencies to assets, identities, and business functions so that risk can be evaluated in context.
2. Prioritization models need to evolve as well. Severity alone is not enough, particularly when dealing with indirect exposures. Incorporating exploitability and business impact leads to making more informed and actionable decisions. 
3. Finally, validation becomes critical. Before mobilizing resources, organizations need confidence that a given exposure represents a real risk, not just a theoretical one. 

These steps can be taken incrementally. Your goal isn’t to solve the entire supply chain risk quandary all at once. Making it progressively more visible, contextual, and actionable will ensure long-term sustainability and success. 

Closing Thought 

Supply chain risk isn’t a new problem. Whether you’re talking about industrial, military, or information supply chains, they’ve always been a weakness that’s been targeted by malignant actors. What’s changed is the scale of dependency and complexity across digital systems and the level of exposure that comes with it. 

Treating that problem like a traditional vulnerability management exercise was always going to fall short. 

Just remember: You can’t patch your supply chain. 

You can, however, understand where it exposes you. Once you’ve gained that understanding, you can begin taking the steps necessary to reduce that risk.