VCRI
Founding Partnership · 2026

Value Chain
Risk Institute

"Secure the Value, Not Just the Network."

The trusted neutral clearinghouse for vendor security data — giving every organization in a value chain continuous, verified visibility into whether the vendors they depend on are actually secure.

Video introduction: https://youtu.be/2_R5fE9LbnU

Joshua Marpet · Executive Director info@valuechainrisk.org ValueChainRisk.org
The Crisis

The Supply Chain
Is the Attack Surface.

February 2022 · Japan

Kojima Industries ransomware attack — Toyota halted production at all 14 Japanese plants.

One Tier-1 supplier. 13,000 cars lost in a single day. Toyota had no visibility into their supplier's security posture.

80%
of breaches originate in the third-party supply chain
SolarWinds
18,000+ organizations via one trusted software vendor
Kaseya
1,500 businesses downstream of one managed service provider

"When a trusted vendor fails, every customer in their value chain fails with them."

The Broken Model

Vendors Grade
Their Own Homework.

The Annual Questionnaire
  • Vendors self-report their own security status
  • Answers are optimistic by design
  • Obsolete the moment they are filed
  • Repeated every 12 months — unchanged
The Decay of Truth

A penetration test finding is valid for approximately five minutes after the engagement ends. The moment a developer commits new code, the scan is obsolete.

Point-in-time compliance is mathematically broken.

Companies spend millions on security without knowing whether the vendors wired into their operations are actually secure. They buy insurance they can't price. They sign indemnities they can't enforce. They get breached by a vendor they'd just received a clean audit on.

The Benchmark

Risk-to-Action:
Traditional vs. VCRI

6
months
Traditional audit cycle
Annual questionnaire → review → report → action
VCRI
6
seconds
Continuous telemetry
Live telemetry → automated evaluation → instant alert

"You cannot secure what you only check once a year."

The Solution

The Trusted Neutral Clearinghouse

Like a financial escrow service — but for vendor security posture.

1
Vendors submit live security telemetry
Real data from actual tools — not a questionnaire. Automated pipeline preferred; vendors who allow it earn higher trust scores.
2
VCRI holds it in escrow and evaluates
Data compared against expected state for a vendor at their maturity level. Gaps surface as risk — not just as missing checkboxes.
3
The value chain sees reality — continuously
Every organization depending on that vendor sees their real posture in real time. Risk expressed in dollars per business process.
Dollar-Denominated Risk
Not a traffic light — a dollar figure. Revenue or mission value at stake per vendor, per process.
Framework-Agnostic
ISO 27001, SOC 2, CMMC, NIST — all normalized to a single baseline via the Secure Controls Framework (SCF). Same score, any framework.
Built on
CRIBL
Cyturus
Secure Controls Framework
CMMI CMMI
TIPPSS TIPPSS
The Differentiator

Why This Is Different

Every other vendor risk service works from the outside in. VCRI works from the inside out.

Inside data, not guesses. External scanning infers. VCRI ingests live telemetry from inside vendor systems. The data isn't inferred — it's real.
The system enforces honesty. Automated data access earns higher trust scores. Vendors who package their own data earn lower ones. Transparency is the rational choice — by design.
Portable Trust for vendors. One VCRI profile shared with every client. Answer once. Share everywhere. Questionnaire fatigue eliminated.
Non-profit. No conflicts. VCRI isn't selling security products. One function: hold the data in trust and tell the truth about what it says.
Japan · Primary Opportunity

Japan's Supply Chains
Are Among the World's Most Complex.

Government
ISMAP Mandate
ISMAP 情報システムセキュリティ管理及び評価制度

Japan's Information System Security Management and Assessment Program requires continuous vendor security monitoring for government cloud services.

VCRI delivers exactly what ISMAP requires.
Industry
Keiretsu Supply Chains

Japan's interlocking corporate supplier networks — automotive, electronics, defense — involve thousands of Tier 1, 2, and 3 vendors. Each tier is a potential breach point.

Kojima → Toyota was Tier 1. Deeper tiers are invisible today.

Japan as VCRI's Asia-Pacific Anchor Partner — the first government to deploy VCRI sets the regional standard.

Global Regulatory Mandate

Regulators Worldwide
Are Mandating This Now.

Not recommendations. Not guidelines. Continuous third-party risk monitoring — required by law.

Primary Markets · Active Government Interest
ISMAP Japan · Government Cloud
SAMA Saudi Arabia NESA UAE
Global Frameworks · Full Alignment
DORA EU FedRAMP USA CMMC US Defense

VCRI's pipeline maps directly to the evidence these frameworks require. First nations to operationalize these mandates become the safest hubs for global commerce.

Leadership

Built by the Architects of Modern Cybersecurity

The people who wrote the standards and led security at the world's most critical institutions.

Joshua Marpet
Executive Director
Co-author CMMC v1 · NIST contributor · IANS Faculty
Mary Ann Davidson
Board
Former CSO, Oracle · 40 years · Unbreakable program
Allan Friedman
Board
"Father of SBOM" · Fmr. CISA/NTIA
Mitch Parker
Board · CAM Co-Author
CISO, IU Health · Co-Vice Chair IEEE/UL 2933
Tom Cornelius
Board · Technology Partner
Founder, Secure Controls Framework (SCF)
Lee Neely
Board
Sr. Cyber Analyst, Lawrence Livermore National Lab

+ Robert Hill (Cyturus) · Paul Asadoorian (Security Weekly / Eclypsium) · Michael Shea (UN Transparency Protocol)

Founding Round

$3.1M

To build, staff, and operationalize the foundational infrastructure for value chain security at global scale.

Use of Funds
· Platform engineering & CRIBL pipeline
· Core staff (engineering, partnerships)
· Legal, compliance, governance
· Research arm launch
Months 1–6
Platform live · 1 government agency onboarded · CRIBL pipeline operational
Months 7–12
10 vendors from agency ecosystem active · First value chain dashboards live
Year 2
Fee revenue covers operations · Self-sustaining non-profit research mission
Japan · Asia-Pacific Expansion
Japanese government anchor + keiretsu industry cohort · ISMAP alignment demonstrated
The Opportunity

Japan as the
Asia-Pacific Anchor.

The first government to deploy VCRI establishes the regional standard. Japanese industry and government operating together through VCRI creates the most transparent, resilient value chain ecosystem in Asia-Pacific — and a model for the world.

info@valuechainrisk.org
ValueChainRisk.org

"You Cannot Secure What You Only Check Once a Year."