"Secure the Value, Not Just the Network."
The trusted neutral clearinghouse for vendor cybersecurity posture data.
Independent regulatory bodies across the EU, US, and Japan have converged on the same answer to the same question at roughly the same moment. That convergence is not coincidence. It's a structural signal — and it points to something that doesn't exist yet.
The clearinghouse doesn't exist yet. That's what VCRI is building.
The Causal Chain
Within a 24-month window, independent regulatory bodies across the EU, US, and Japan independently converged on roughly the same answer to the same question. This isn't regulatory fashion. It's the endpoint of a specific causal sequence that matured simultaneously.
2010s — The Structural Vulnerability Was Created
Organizations that once operated their own infrastructure became dependent on dozens to hundreds of external vendors. The oversight mechanisms — vendor questionnaires — were designed for a world with a handful of critical third-party relationships. In a world of hundreds, the questionnaire model became a checkbox exercise producing false confidence. The vulnerability accumulated quietly, invisibly, over a decade.
2020 — Proof of Concept
Attackers understood vendor-as-vector before defenders did. The logic is straightforward: compromise one vendor, gain access to every client who trusts that vendor. SolarWinds was the publicly visible proof of concept — a single supply chain compromise that reached hundreds of organizations including US federal agencies. Once the proof of concept was visible, frequency increased. The pattern became statistically significant.
2022–2024 — The Measurement Problem Resolved
For years, "what percentage of breaches involve third parties?" was unanswerable. Forensic capabilities improved. Mandatory disclosure requirements (GDPR, SEC rules, NIS2) created reporting obligations. The data began to accumulate. Third-party breach attribution went from anecdote to statistic — 29% in one period, rising to 35% the next. Once measurable, the regulatory lever existed.
2025–2026 — The Regulatory Cascade
Regulations don't emerge in isolation — they follow templates. Once one major jurisdiction does the intellectual work of establishing that vendor risk assessment must be independent and continuous — not self-reported and periodic — others follow. The EU moved first with DORA and NIS2. The US adapted (FedRAMP 20x, SEC disclosure rules). Japan followed. The cascade is structural, not coincidental.
Active Regulatory Mandates — Independent Jurisdictions, Same Requirement
These frameworks were developed independently, cite different legal authorities, and emerged from different political processes. Their convergence on the same requirement is a structural signal, not coordination.
What the convergence reveals: The mandates create requirements for some vendors in some contexts. They don't create the infrastructure for knowing vendor posture across supply chains as a whole — because supply chains don't respect regulatory perimeters. A financial institution under DORA still has vendors who aren't financial institutions. A US federal contractor under FedRAMP still has subvendors not seeking federal authorization. The frameworks have named the problem. What's missing is the shared data infrastructure that makes assessment possible at the scale the problem demands. That infrastructure doesn't exist yet.
The Structural Problem
Every major third-party breach follows the same pattern: an organization trusted a vendor's security posture based on the vendor's own claims, and found out the claims were wrong when something burned. The problem is structural, not accidental.
A vendor filling out a security questionnaire has every incentive to present the most favorable picture. The organization receiving it has no independent data to validate against. The entire transaction is built on an assumption that fails in exactly the situations where accurate posture data matters most.
A compliance assessment is valid for approximately five minutes after it's filed. The threat landscape changes daily. Annual questionnaires describe a vendor's posture on the day the form was submitted — which is not the day you need to know. Risk-to-action in the traditional model: 6 months.
External scanning tools (the major commercial category) measure observable surface area — exposed ports, leaked credentials, certificate status. They infer what's inside from what they can see from the internet. That's not assessment. That's pattern-matching on symptoms.
The organizations affected by third-party breaches are not naive — many have sophisticated security programs. What they lack is independent data about the vendors in their ecosystem. They're navigating with instruments calibrated by the people they're supposed to be evaluating. SolarWinds. Kaseya. MOVEit. Target. Each time, a trusted vendor was the door — and no one knew it was open.
The Infrastructure Response
The credit bureau analogy is the right one: credit bureaus don't compete with banks. They hold the assessment function at arm's length from the transaction. The equivalent for vendor cybersecurity posture doesn't exist. VCRI is building it.
Real security data from actual tools — not a questionnaire. Automated API ingestion preferred; vendors who allow it earn higher trust scores. For FedRAMP vendors: OSCAL-formatted packages map directly into the VCRI schema.
Data is normalized through the Secure Controls Framework (SCF) — 100+ compliance frameworks unified to a single master baseline. Evaluated against CMM maturity levels. The CAM matrix maps posture across six TIPPSS dimensions.
Every organization depending on that vendor gets continuous, dollar-denominated risk visibility. Not a letter grade. A dollar figure: the revenue or mission value at stake, updated continuously as incident data and posture signals change.
VCRI outputs dollar figures, not traffic lights alone. The VCAR formula: Process Value × Industry Incident Duration = Dollar at Risk. Every vendor risk decision can be made in the same terms as every other business decision.
Vendors who maintain a strong VCRI profile share it with every client on the platform. Answer once. Share everywhere. Questionnaire fatigue eliminated across their entire customer base — the rational choice is transparency, by design.
Structural Differentiation
Every commercial tool in this space is solving the symptom — better questionnaire management, better external scanning. VCRI solves the structural problem.
Landscape Comparison
| Dimension | Security Ratings (BitSight, SSC, UpGuard) |
TPRM Workflow (ProcessUnity, Venminder) |
VCRI |
|---|---|---|---|
| Data source | External scan / inference | Vendor self-report | Vendor-submitted telemetry, independently normalized |
| Business model | Commercial SaaS | Commercial SaaS | Nonprofit membership |
| Conflict of interest | Aligned with buyers | Aligned with buyers | Neutral — no commercial stake |
| Cross-framework normalization | Proprietary scale | Framework-specific | SCF — 100+ frameworks unified |
| Portable vendor trust | No | No | Yes — answer once, share everywhere |
| Dollar-denominated output | No | No | Yes — VCAR: $ at risk per process |
| Jurisdiction scope | US-centric | US-centric | US · EU · Japan by design |
Leadership
The people who wrote the standards, built the frameworks, and led security at the world's most critical organizations — building the infrastructure layer the entire industry needs.
Co-author CMMC v1; NIST contributor; IANS Faculty; CAM co-author. Security Weekly co-host. Ex-cop, ex-fireman, historical blacksmith.
Former Chief Security Officer, Oracle — 40 years. Architect of Oracle's Unbreakable security program.
"Father of SBOM." Fmr. CISA/NTIA. Created the framework the U.S. government now requires for software component disclosure.
CISO, Indiana University Health. Co-Vice Chair IEEE/UL 2933 — the standard underlying VCRI's verification methodology.
Senior Cyber Analyst, Lawrence Livermore National Laboratory. SANS mentor and instructor.
Founder, Secure Controls Framework (SCF) — the master control library mapping 100+ compliance frameworks. U.S. Army veteran.
Founder & CEO, Cyturus. 30+ years in regulatory compliance and supply chain risk management.
Founder, Security Weekly (160K audience). Principal Security Researcher, Eclypsium — firmware & hardware supply chain.
UN Transparency Protocol Adoption Group Lead. Digital Product Passports — global supply chain transparency at scale.
Framework — Tom Cornelius, SCF Founder · VCRI Board
"Be less than all three, and you're taking on risk." VCRI measures all three — continuously, across your entire vendor ecosystem.
Publications
Full methodology, technical architecture, and regulatory alignment documentation.
Founding Round
To build, staff, and operationalize the clearinghouse infrastructure — the data layer that supply chains need and regulators are now requiring.
Why April 2026 matters: The EU ICT Supply Chain Security Toolbox was published in February. The FedRAMP machine-readable mandate deadline arrives in September. SusHi Tech Tokyo (April 27-29) lands at the exact moment when regulatory convergence is most visible and the gap between what's mandated and what's available is most apparent. The timing is structural, not lucky.
The clearinghouse doesn't exist yet. We're building it.
Government agencies, critical infrastructure operators, and strategic partners who want to be part of defining how supply chain risk is assessed at global scale — the founding conversation starts here.
info@valuechainrisk.orgValueChainRisk.org