A vendor supply chain incident is not just a developer problem. If your vendors ship software, your MSP is in the blast radius whether you wrote a line of code or not.

In this special Get NIST-y episode, Jared and Mike break down what MSPs should actually do in the wake of the Axios compromise, both before the next incident and after one lands. This is practical security and compliance advice for MSPs, not checkbox theater.

- A SOC 2 is a starting point, not a hall pass. Read the scope, read the opinion, and read management’s response.

- Vendor questionnaires are useless if nobody reviews the answers. Fewer real questions beats 1,900 ignored ones.

- Keep a real vendor inventory, including subprocessors. You cannot assess exposure if you do not know who touches your data.

- Ask vendors for clear answers after an incident, and know how to rotate secrets fast if something gets exposed.

We mentioned Roddy Bergeron's talk from Right of Boom. Here's the link (registration required to view): https://portal.rightofboom.com/calendar/event/019c4cb4-6f89-7211-9a85-236a0a3f922d

Submit your question: https://blacksmithinfosec.com/nisty/