ValueChainRisk.org
ValueChainRisk.org
Alignment Brief · February 2026
Continuous Vendor Monitoring Under Japan's Information System Security Management and Assessment Program
What Is ISMAP?
ISMAP (情報システムセキュリティ管理及び評価制度) is Japan's government cloud security assessment program, jointly administered by METI, MIC, NPA, and NISC. It requires cloud service providers used by government agencies to maintain registration through annual third-party assessment against 1,500+ controls spanning ISO/IEC 27001 and the Japanese government's own security guidelines.
Crucially, ISMAP extends beyond cloud providers: procuring agencies are required to continuously monitor and manage the security posture of their own vendor ecosystem — including downstream ICT suppliers at every tier.
The Gap ISMAP Cannot Close Alone
ISMAP registers cloud providers. It does not provide a mechanism for agencies to continuously monitor the vendors, integrators, and subcontractors in their own supply chain. Those downstream tiers remain invisible.
The Kojima Industries incident (February 2022) demonstrated this precisely: Toyota's Tier-1 supplier lacked continuous monitoring. Toyota had no posture signal. Fourteen plants halted. ISMAP compliance at the prime level did not protect the value chain.
ISMAP covers the cloud provider. VCRI covers the agency's entire vendor tier.
ISMAP Control Domain → VCRI Delivery Mapping
| # | ISMAP Control Domain | Agency Obligation | How VCRI Delivers | Status |
|---|---|---|---|---|
| A.15 | Supplier Relationships Supply chain risk; ICT supplier controls |
Maintain current posture data for all Tier-1 through Tier-3 ICT suppliers; demonstrate ongoing due diligence | CyberAssuranceMatrix (CAM) scores every vendor in real time. Dollar-at-Risk (VCAR) quantifies exposure per tier. Posture dashboards updated on ingestion cycle. | ✓ Direct |
| A.12 | Operations Security Monitoring, logging, vulnerability mgmt |
Evidence that vendors are actively monitoring their own environments and remediating findings | VCRI ingests live telemetry from vendor SIEM, GRC, and vulnerability management platforms via CRIBL pipeline. Ingest timestamps demonstrate continuous — not annual — activity. | ✓ Direct |
| A.16 | Incident Management Response capability; notification obligations |
Verify vendor incident response maturity; confirm notification SLA agreements | CAM Incident Response dimension (one of six TIPPSS axes) scores response maturity from CMM L1–5. Anomalous telemetry gaps trigger posture-change alerts to procuring agency. | ✓ Direct |
| A.18 | Compliance Regulatory obligations; audit evidence |
Demonstrate vendor compliance with applicable regulations (PIPA, NISC guidelines, sector requirements) | Secure Controls Framework (SCF) normalizes across 100+ compliance regimes. VCRI scores map vendor posture against PIPA, ISO 27001, NIST CSF, and NISC simultaneously. | ✓ Direct |
| A.6 | Organization of IS Roles, responsibilities, segregation |
Confirm vendor security roles and governance structures are defined and maintained | CAM Governance dimension scores organizational security maturity. CMM levels reflect whether formal processes exist vs. ad-hoc practices. | ✓ Direct |
| A.17 | Business Continuity BCM; availability assurance |
Verify vendor BCP/DR capability and tested recovery procedures | CAM Continuity dimension (Protection/Safety TIPPSS axes) scores BCP/DR maturity. Vendor BCP attestation submitted as structured data to VCRI escrow. | ◑ Partial |
| A.14 | System Acquisition & Dev SDLC security; secure development |
Confirm vendors follow secure development and change management practices | SBOM (Software Bill of Materials) ingestion — Allan Friedman, VCRI board, is the father of SBOM at CISA/NTIA — feeds CAM software supply chain dimension in roadmap v1.1. | ◑ Roadmap |
Annual Audit vs. VCRI Continuous
Annual questionnaire: Vendor self-attests once per year. Posture decays immediately. Agencies hold a snapshot, not a signal.
VCRI continuous: Live telemetry on each ingestion cycle. Posture score updates when the environment changes — within hours, not annually.
ISMAP alignment: ISMAP requires ongoing monitoring and risk management. VCRI is the operational mechanism that satisfies this obligation at scale, across hundreds of vendors simultaneously.
VCRI as ISMAP Re-Assessment Evidence
Cloud providers registered with ISMAP must demonstrate their own supply chain is secure. VCRI gives ISMAP-registered providers a continuously updated, third-party-verified evidence package they can submit directly to ISMAP assessors:
Current CAM scores for all Tier-1/2/3 sub-processors, updated on ingestion cycle
Timestamped telemetry receipts proving continuous (not point-in-time) monitoring
VCAR Dollar-at-Risk figures quantifying supply chain exposure per assessment period
SCF crosswalk mapping VCRI posture scores to specific ISMAP control identifiers
Japan Government Deployment Model
Agency Onboards
Procuring ministry or agency registers with VCRI. Defines vendor scope: all ICT suppliers subject to ISMAP A.15 obligations.
Vendors Submit Telemetry
Vendors connect their SIEM / GRC / VM platforms to VCRI's CRIBL pipeline. Data held in escrow. Agency sees scores, not raw data.
CAM Scoring Runs
CyberAssuranceMatrix evaluates each vendor across 6 TIPPSS dimensions × 6 asset classes. SCF normalizes against ISMAP control identifiers.
Evidence Package Generated
ISMAP-formatted evidence report generated per assessment cycle. Ready for submission to registered ISMAP assessment organizations.
Relevant Leadership Credentials
Joshua Marpet — Executive Director
Co-author of CMMC v1 (US DoD). Contributor to NIST supply chain security standards. Direct experience with government procurement security frameworks across multiple nations.
Allan Friedman — Board
Father of SBOM; former CISA / NTIA. The SBOM standard he created is a core component of supply chain transparency — and integrates directly into VCRI's v1.1 roadmap for ISMAP A.14 coverage.
Tom Cornelius — Board
Founder of Secure Controls Framework (SCF), which provides the cross-regime normalization engine mapping VCRI posture scores to ISMAP control identifiers, ISO 27001, NISC guidelines, and PIPA simultaneously.
Next Steps
VCRI × NISC working group briefing to map SCF control identifiers to ISMAP assessment criteria
Pilot with one government agency: onboard 5–10 key ICT vendors; generate first ISMAP evidence package
Engage ISMAP registered assessment organizations to validate evidence package format
Contact:
info@valuechainrisk.org
ValueChainRisk.org
Utilizes Secure Controls Framework (SCF) — securecompliance.org
Value Chain Risk Institute
Secure the Value, Not Just the Network.
ISMAP Alignment Brief · February 2026 · Non-Profit 501(c)(3)
TLP:WHITE — May be shared freely