Skip to main content
MainTegrity Cyber Security Framework (CSF)
MainTegrity Cyber Security Framework (CSF)
End-to-End Cyber Security for IBM z/OS

What is Supply Chain?

MainTegrity CSF cyber security suite for z/OS CSF FoundationFIM+EarlyWarningNetWatchSupplyChain
Suite Overview ›

Supply Chain is the vendor software validation module of the CSF suite. It ensures that every third-party software package, PTF, and vendor update is cryptographically verified before it reaches your mainframe — and confirmed intact after installation.

Every other CSF module protects your environment against threats that are already inside. Supply Chain operates at a fundamentally different point in the security lifecycle: it prevents compromised software from entering your environment in the first place.

Supply Chain answers one question: "Can I trust this software update?"

Why Supply Chain Attacks Are a Mainframe Problem

Modern supply chain attacks do not target your defenses directly. They target the software update process itself — the one channel your organization already trusts.

The pattern is consistent. Attackers compromise a vendor's build system or intercept an update in transit. Malicious code is injected into legitimate software. Your team applies the compromised update through established, trusted channels. The attacker gains access — bypassing every traditional security control — because the software arrived through a path your organization was designed to trust.

Mainframe environments are particularly attractive targets. They process the most critical data in the enterprise, sit at the heart of business operations, and rely heavily on vendor-supplied PTFs and system updates. The trust placed in those updates is precisely what attackers exploit.

SolarWinds demonstrated how devastating this attack vector can be in distributed environments. The same principle applies to z/OS — and the stakes are higher.

Protection Across Attack Vectors

Supply Chain addresses the full range of software supply chain threats facing mainframe environments. Trojanized vendor updates — where an attacker compromises a vendor's build system and injects malicious code into a legitimate package — are caught through cryptographic signature comparison before the package is installed. 
  • Man-in-the-middle modifications, where software is altered during download or transmission, are identified through content hash validation against expected values. 
  • Internal tampering, where an authorized individual modifies approved software before or during deployment, is caught by post-installation verification. 
  • And rollback attacks, where an attacker attempts to install an older, vulnerable version of previously updated software, are blocked at the validation stage.

In each case, the compromised software is stopped before it runs. No detection delay. No incident response. The gate simply does not open.

Compliance Coverage

Supply Chain directly addresses regulatory requirements for third-party risk management and software integrity verification.

For organizations operating under NIST, supply chain risk management is a key focus area of the Cybersecurity Framework. Supply Chain provides the pre-installation validation and vendor software verification that auditors expect to see when assessing supply chain controls.

DORA's requirements for third-party risk management and software integrity controls map directly to Supply Chain's capabilities. Pre- and post-installation cryptographic validation of vendor software satisfies DORA's mandate that financial institutions verify the integrity of software provided by third-party ICT service providers.

Supply Chain also embodies the core Zero Trust principle applied to software: never trust, always verify. Rather than assuming vendor software is safe because it arrived through an established channel, Supply Chain verifies every package cryptographically before it is permitted to run.

Complete Lifecycle Protection with FIM+

Supply Chain and FIM+ together provide end-to-end software integrity coverage across the full lifecycle.

Supply Chain validates software before installation — confirming that what arrives from the vendor is exactly what the vendor intended to ship. Once approved software is installed, FIM+ takes over. It recognizes the expected change, updates its secure vault, and begins monitoring the installed files from that point forward. If anything changes unexpectedly after installation — whether days, weeks, or months later — FIM+ identifies the unauthorized modification and alerts your team.

The handoff is seamless. Supply Chain ensures software is trustworthy when it enters the environment. FIM+ ensures it remains trustworthy afterward.

How Supply Chain Works

Pre-Installation Validation

Before any vendor software or PTF is applied to production, Supply Chain validates it against known-good baselines. Cryptographic signatures are compared to vendor-published references. File contents are compared to expected values. If anything deviates — a modified signature, unexpected content, an altered package — the installation is blocked before the software enters your environment. An alert is sent with full deviation details so your team can investigate and obtain a clean version through a verified channel.

This is not detection and response. It is a gate that does not open for unvalidated software.

Post-Installation Verification

After approved software is installed, Supply Chain confirms that the deployed version matches the approved version exactly. This catches modifications that could occur between the approval step and the actual deployment — whether from internal tampering, process errors, or deployment pipeline compromise. A complete audit trail records what was installed, when, and by whom.

Lightweight Operational Footprint

Supply Chain is designed for mainframe operations teams who cannot tolerate unnecessary overhead. Validation runs during change windows when software is being installed — not continuously in the background consuming resources. Ongoing CPU impact is negligible. The signature database stores known-good baselines for all monitored vendor software, and baselines are updated as vendors release new versions. Supply Chain deploys as part of CSF Foundation's started task infrastructure, requiring 64MB minimum memory for the Supply Chain server component.

Integration

Change Control Integration

Supply Chain enforces process discipline throughout the software lifecycle. Changes are locked — prevented from reaching production — until they are properly approved through your change control workflow. Separation of duties is enforced so that the person approving a change cannot be the same person executing it. Integration with ServiceNow and BMC Helix ensures that validation results and approval status flow directly into your existing change management processes.

Development Process Integration

Supply Chain connects to the development and release management tools your mainframe teams already use. Integration with BMC DevX, Broadcom Endevor, Changeman, and GIT-based workflows means vendor software validation fits into your existing development pipeline rather than requiring a separate process. Software is validated within the same toolchain your teams use to manage, promote, and deploy code.