Supply Chain
What Makes Supply Chain Unique
Supply Chain is the software integrity module of CSF. It validates vendor software and updates before installation—ensuring only trusted code runs on your mainframe.
Supply Chain answers the question: "Can I trust this software update?"
Supply Chain Capabilities
- Informed Release Control / Approvals — Validates software against known-good baselines before approval
- Enable Separation of Duties – Issue Resolution — Enforces proper change control workflow
- Lock Changes Prior to Approval — Prevents unapproved software from reaching production
- Verify That Change Deployment Was Correct — Post-installation verification confirms integrity
The Supply Chain Threat
Modern supply chain attacks target the software update process itself:
- Attackers compromise vendor systems or intercept updates in transit
- Malicious code is injected into legitimate software
- Organizations apply the compromised update through trusted channels
- Attackers gain access—bypassing traditional security controls entirely
Mainframe environments are particularly attractive targets because of:
- The critical data they process
- Their position at the heart of enterprise operations
- The trust placed in vendor-supplied PTFs and updates
How Supply Chain Works
Pre-Installation Validation
Before any vendor software or PTF is applied to production:
- Cryptographic signatures validated against vendor baselines
- Content compared to expected values
- Any deviation triggers alerts before installation
- Approved software tracked through deployment
Post-Installation Verification
After installation completes:
- Verifies installed software matches approved version
- Confirms no modifications occurred during deployment
- Provides audit trail of what was installed and when
Change Control Integration
Integrates with your existing processes:
- ServiceNow, BMC Helix integration
- Enforces separation of duties
- Locks changes until properly approved
Protection Against Common Attacks
| Attack Type | How Supply Chain Protects |
|---|---|
| Trojanized Updates | Detects malicious code in legitimate vendor software |
| Man-in-the-Middle | Identifies software modified during transmission |
| Unauthorized Modifications | Catches internal tampering with approved software |
| Rollback Attacks | Prevents installation of older, vulnerable versions |
Supply Chain + FIM+: Complete Lifecycle Protection
Supply Chain validates software BEFORE installation.
FIM+ monitors files AFTER installation.
Together:
- Vendor update arrives → Supply Chain validates
- Update is applied → FIM+ detects the expected change
- If anything changes unexpectedly later → FIM+ alerts
Compliance Support
| Framework | Requirement Addressed |
|---|---|
| NIST | Supply chain risk management (key focus area) |
| DORA | Third-party risk management, software integrity controls |
| Zero Trust | "Never trust, always verify"—applies to software as well as users |
Supply Chain vs. Other CSF Products
| If you need to... | Use... |
|---|---|
| Verify vendor software before install | Supply Chain |
| Detect file changes after installation | FIM+ |
| Catch attackers in recon/exploit phase | Early Warning |
| Stop data leaving your mainframe | Data Exfiltration Defense |
CRM Product Quote Description
Monitors and validates integrity of third-party vendor software and external code components. Tracks changes to vendor-supplied modules, libraries, and system exits. Detects unauthorized modifications to supply chain components before they execute. Provides cryptographic verification of vendor packages against known-good baselines. Alerts on deviations from approved vendor configurations and unauthorized code injections. Integrates with FIM+ for continuous integrity monitoring of external dependencies.
Supply Chain runs on CSF Foundation, which provides Real-time Reaction, Human Interface, Whitelisting, and Restore Assist capabilities.