Non-Profit Consortium

Stop Guessing.
Operationalize Risk.

The era of the static spreadsheet audit is over. We establish the first continuous, real-time standard for quantifying supply chain risk across the Defense Industrial Base.

Join the Institute Read the Mandate
VCRI_LIVE_MONITOR_V1.2
LOGISTICS-ALPHA STATUS: COMPLIANT
CHIP-MFG-04 ALERT: CRIT VULNERABILITY
SOFTWARE-FIN-1 ACTION: POLICY REVIEW

The "Outside-In" Failure

Current risk scores rely on superficial scanning. They miss the Bill of Materials (BoM), internal policy, and real-time compliance status. When questionnaires fill the gap, vendors grade their own homework — and the results reflect it.

Opaque Supply Chains

You know your vendors, but you don't know their vendors. We map the full BoM/SBoM tree to expose hidden risks.

Static Audits

Compliance is a point-in-time snapshot — what VCRI calls the Decay of Truth: audit findings begin expiring the moment they are filed. Traditional risk-to-action takes 6 months. VCRI surfaces it in 6 seconds. We move you to Continuous Operational Risk monitoring.

No Standardization

Every vendor speaks a different framework language — ISO 27001, SOC 2, CMMC, NIST. The Secure Controls Framework (SCF) translates all 100+ compliance frameworks to a single master control library, making VCRI's scoring framework-agnostic for both vendors and customers.

The Solution

The "Inside-Out" Standard

The Institute is building the Risk Traffic Light Protocol. By ingesting SBoM, FBoM, and raw compliance data into a neutral, non-profit engine, we provide a normalized risk signal that the entire market can trust.

  • Real-Time Fidelity

    Updates as fast as the data changes. No more waiting for annual reviews.

  • Neutral "Safe Harbor"

    A non-profit engine that protects sensitive vendor data while sharing the risk score.

  • Actionable Signals

    Green means go. Red means stop shipment. Simple, operational decision support.

  • Dollar-Denominated Risk

    VCRI quantifies risk in dollars per business process — not abstract scores. The amount at stake, continuously updated as the threat landscape changes.

  • Portable Trust for Vendors

    Vendors who earn a strong VCRI profile share it with every client on the platform. Answer once. Share everywhere. Questionnaire fatigue eliminated.

Risk Normalization Engine

1
Ingest Data
SBoM / FBoM / Audit Logs
2
Normalize Logic
Apply IEEE/UL 2933 Standards
3
Output Signal
Traffic Light Risk Score

Regulatory Imperative

Global regulators are mandating continuous third-party risk monitoring — not annual checkboxes. VCRI is what compliance looks like in practice.

DORA · EU FedRAMP · USA SAMA · Saudi Arabia NESA · UAE CMMC · US Defense

Built by the Architects of CMMC

"We've seen how compliance fails when it's just paperwork. We are building the operational fix."

Joshua Marpet

Executive Director

Co-Author, CMMC v1

Compliance & Risk Veteran