A vendor questionnaire is not vendor risk management.

This week on Get NIST-y, we use the Mythos supply chain mess as a reminder that your vendors' vendors can absolutely become your problem. Then we get into a second trap that deserves more skepticism: compliance platforms that promise automation but mostly hand you prettier green check marks.

What we cover:

- A SOC 3 by itself is not enough. If that is the whole review, you are checking a box, not managing risk.

- Recent vendor incidents matter, but context matters too. A "critical" vuln is not automatically critical for every environment.

- The best vendors do not stay quiet. They tell you whether you were affected, where the risk exists, and what changed.

- Automated evidence collection can save time, but it cannot own your risk or replace human review.

We answer:

- Should vendor vulnerabilities and recent incidents change how you score vendor risk?

- How much of "automated evidence collection" is real, and how much is expensive wallpaper over manual work?

Submit your question: https://blacksmithinfosec.com/nisty/