Executive Overview · February 2026

Value Chain Risk Institute

"Secure the Value, Not Just the Network."

● COMPLIANT ● ACTION ● CRITICAL

The Crisis

80% of breaches originate in the third-party supply chain. SolarWinds. Kaseya. Target. Each time, a trusted vendor was the door — and no one knew the door was open.

The current response: send vendors an annual questionnaire and ask them to fill it out. Vendors grade their own homework. The report is obsolete the moment it's filed. And next year, the cycle repeats.

The result is uncontrollable insurance premiums, unenforceable indemnities, and a security industry built around the fiction that a snapshot taken once a year describes a threat landscape that changes by the minute.

What VCRI Does

VCRI is the trusted neutral clearinghouse for vendor security data — the infrastructure layer that gives entire value chains continuous, verified visibility into the security posture of every vendor they depend on.

Vendors provide their actual security telemetry directly to VCRI — from the real tools they use to manage their systems, not from a form they fill out. VCRI holds that data in escrow, evaluates it against what a genuinely secure vendor should look like, and makes the result continuously available to everyone in that vendor's value chain.

A manufacturer knows if its software supplier is secure. A hospital knows if its medical device vendor is secure. A government agency knows if its contractors are compliant — not at the next annual audit, but the moment anything changes.

Why This Is Different

Inside data, not guesses. Every other vendor risk service scans vendors from the outside. VCRI ingests from their actual live systems. The data isn't inferred — it's real.

The system enforces honesty. Vendors who allow automated data access receive higher trust scores. Vendors who package their own submissions receive lower ones. Transparency is the rational choice.

Portable Trust for vendors. Vendors who maintain a strong VCRI profile share it with every client on the platform — eliminating redundant audits and questionnaire fatigue across their entire customer base.

Non-profit. No conflicts. VCRI isn't selling security products. It doesn't compete with vendors. Its only function is to hold the data in trust and tell the truth about what it says.

Any data, any format — compared against the real standard. Vendors submit existing exports, reports, or audit artifacts in any format. The VCRI Intelligence Layer ingests them, transforms them to the scoring schema, and compares them against VCRI's independently maintained attestation baseline — what a vendor at your claimed maturity level should actually be able to demonstrate. No integration timeline required to find out where you actually stand.

Regulatory Imperative

Global regulators are mandating continuous risk quantification — not recommendations. First movers become the safest hubs for global commerce.

DORA · EU

FedRAMP · USA

SAMA · Saudi Arabia

NESA · UAE

CMMC / CSRMC · US Defense

ISMAP · Japan

Leadership & Board

Joshua Marpet · Executive Director. Co-author CMMC v1; NIST contributor; IANS Faculty.

Mary Ann Davidson · Fmr. CSO, Oracle (40 years).

Allan Friedman · "Father of SBOM," fmr. CISA/NTIA.

Mitch Parker · CISO, Indiana University Health; IEEE/UL 2933 co-chair.

Lee Neely · Senior Cyber Analyst, Lawrence Livermore National Lab.

Tom Cornelius · Founder, Secure Controls Framework (SCF).

Robert Hill · Founder & CEO, Cyturus.

Paul Asadoorian · Founder, Security Weekly; Principal Researcher, Eclypsium.

Michael Shea · UN Transparency Protocol, Digital Product Passports.

The Ask

$3.1M

To build, staff, and operationalize the foundational infrastructure for value chain security at global scale.

→ Months 1–6: 1 government agency onboarded; platform live

→ Months 7–12: 10 vendors from agency ecosystem active

→ Year 2: Recurring fee revenue covers operations; self-sustaining

Government agencies and strategic partners:

info@valuechainrisk.org

ValueChainRisk.org

6 months

traditional audit cycle

↓

6 seconds

VCRI continuous telemetry

Utilizes Secure Controls Framework (SCF) — securecompliance.org