The Framework
Independent vendor risk assessment requires a structured, repeatable methodology. VCRI's framework rests on three interconnected components: the CyberAssuranceMatrix (CAM), the VCAR risk quantification formula, and The Greeks data quality multipliers.
Core Assessment Tool
Developed by Joshua Marpet and Mitch Parker (IEEE/UL 2933 co-Vice Chair), the CAM is a structural verification tool. Where active defense frameworks ask "are we currently under attack?" — the CAM asks "were we built to resist attack?" Unverified design assumptions are the risk. The gap between where a vendor is and where they need to be is what VCRI scores.
Six TIPPSS Dimensions × Six Asset Classes × CMM Levels 1–5
Asset classes scored: Devices · Applications · Networks · Data · Users · AI
Every vendor is scored on CMM Levels 1–5 per TIPPSS dimension per asset class. The gap between current level and required level is the risk.
Risk Quantification
VCRI produces dollar-denominated risk figures using a deliberately simple two-input model — a conscious parallel to financial VaR (Value at Risk). The goal is continuous operation, not exhaustive modeling.
The revenue or mission value of each Functional System — client self-attests. "This billing process generates $50,000/week." Only the client knows this number. No external model can replace it.
How long specific risk types (ransomware, exfiltration, DDoS) typically impair operations — drawn from published incident data. VCRI maintains and continuously updates this database. When industry recovery times improve, every risk score updates automatically.
Why not FAIR? FAIR is excellent — mathematically rigorous and well-designed. Its operational friction (seven input factors per scenario) makes continuous assessment expensive. VCRI's two-input model is rougher but responsive. Continuous visibility, not annual precision.
Data Quality
Every risk score is adjusted by four multipliers that reflect data quality, vendor transparency, and concentration risk. A vendor with a technically acceptable posture but low data quality gets a worse effective score — which is correct.
High Alpha = the data comes from verified, independent sources. Low Alpha = vendor filled out a questionnaire. High Alpha vendors can share one verified profile with all their clients — Portable Trust.
Percentage of data from automated API pull vs. manually assembled packages. Low Beta means the vendor curated their submission — the equivalent of an applicant editing their own reference letters.
How many of your critical business processes depend on this vendor. High Gamma = systemic failure risk. Drives the Decision Science Quadrant: Systemic Concentration Score vs. Remediation ROI.
A scan expires the moment it's complete. High Theta = re-assessment overdue. This is the Heisenberg Problem of Risk made visible: the more granular the data, the faster its truth expires.
Infrastructure
Vendors operate under heterogeneous compliance regimes. VCRI normalizes everything to a common baseline so cross-vendor comparison is possible regardless of source framework.
Ingests vendor system data — vulnerability management, SIEM, GRC tools — and applies transforms: schema normalization, sensitivity redaction, SCF control mapping, maturity classification.
Maps 100+ compliance frameworks to a single master control library. A vendor under ISO 27001 and a vendor under CMMC become directly comparable — both map to the same SCF control ID and the same CAM cell.
Normalized data scores to TIPPSS × CMM cells. Verification gaps are computed. Dollar-at-Risk is calculated via VCAR. Traffic Light risk signals published per vendor per category.
Inside-Out, not Outside-In. VCRI doesn't scan vendors from the outside. Vendors submit live telemetry from the inside — preferably via automated API pull. Vendors who package their own data instead of allowing automated pull receive a lower Beta score, creating a market incentive for full transparency.
Deep Dives
Full technical specifications, regulatory alignment, and methodology details.
Full platform architecture, data pipeline, and scoring methodology.
Value Chain Risk scoring in detail — TIPPSS, VCAR, and risk quantification.
How VCRI maps to Japan's ISMAP government cloud security framework.
Vendor data protection, escrow architecture, and privacy model.
How vendor data is held, isolated, and protected in the escrow system.
Mutual evaluation package and evidence requirements for partnership.