Third-Party Risk Management and Supply Chain Compliance: Latest Updates and Requirements for 2025

In today’s hyper-connected ecosystem, your organization is only as secure as your weakest third-party vendor. As cyber threats and regulatory scrutiny intensify, third-party risk management (TPRM) and supply chain compliance are no longer check-the-box activities—they’re strategic imperatives. 

At Internetwork Engineering (IE), a Presidio Company, we work with IT managers and CISOs every day who are facing rising expectations for managing vendor risk, validating cybersecurity hygiene across their supply chains, and demonstrating compliance to regulators, auditors, and customers. 

Let’s break down what’s changing in 2025—and what your team can do now to stay ahead. 

Why Third-Party Risk Is Escalating in 2025 

The past year has brought a surge in supply chain-targeted attacks, driven by increasingly sophisticated adversaries and exploited trusted relationships. From nation-state campaigns to ransomware-as-a-service, attackers are shifting their focus downstream—and regulators are taking notice. 

Here’s why 2025 is different: 

• Regulators Are Tightening the Screws: Frameworks like NIST SP 800-161 Rev. 1 and CMMC 2.0 are raising the bar for federal contractors and anyone in their supply chain. Meanwhile, EU’s NIS2 Directive and SEC cybersecurity disclosure rules are extending global pressure. 
• The Scope of Responsibility Has Widened: You’re not just responsible for your vendors—you’re responsible for your vendors’ vendors. This “Nth party” exposure is now part of due diligence expectations. 
• Boards and Customers Want Proof: TPRM is becoming a top-line issue. Customers, partners, and executive leadership are asking for documentation on initial due diligence, risk rating,  continuous monitoring, and evidence of proactive risk mitigation. 
  

What’s New in Third-Party Risk Requirements for 2025 

Here are the updates every IT leader should be tracking this year:

1. CMMC 2.0 & NIST 800-171 Compliance Pressure

For organizations handling Controlled Unclassified Information (CUI), CMMC Level 2 will require all subcontractors in your ecosystem to implement proper cybersecurity controls. That includes MFA, encryption, incident reporting, and—critically—verified third-party security assessments. 

What to do: Start mapping which vendors touch CUI and ensure they meet the same controls your organization does.

2. NIST SP 800-161 Rev. 1 – Supply Chain Risk Guidance

Released in late 2023 and rolling into 2025, this framework emphasizes: 

• Secure software development practices
• Supply chain illumination
• Vendor provenance validation

What to do: Evaluate your procurement and vendor intake processes. Are you validating the security posture of third-party software and services before integration?

3. Executive Order 14028 Impact

This U.S. cybersecurity executive order continues to influence federal and private sector practices, particularly regarding: 

• Zero Trust architectures
• Enhanced logging and auditability
• SBOMs (Software Bill of Materials) 
  

What to do: Begin requesting SBOMs from critical technology vendors to understand software dependencies and vulnerabilities.

4. Continuous Monitoring Expectations

Annual risk questionnaires and point-in-time assessments are no longer sufficient. Real-time risk scoring via platforms like SecurityScorecard or BitSight is becoming the norm for critical third parties. 

What to do: Consider implementing continuous third-party monitoring tools and integrating them with your vendor risk management process. 

IE’s Approach: Practical Steps for IT Teams and CISOs 

We understand that IT teams are stretched, and compliance can’t come at the expense of operational uptime. That’s why we help clients implement pragmatic, scalable third-party risk strategies that align with business goals. 

Here’s our recommended framework:

1. Inventory and Categorize Vendors

Know who your vendors are, what systems/data they access, and how critical they are to operations. 

2. Standardize Security Due Diligence

Implement a lightweight, tiered security questionnaire process based on vendor risk level. Consider automation tools where possible.

3. Contractual Safeguards

Update vendor contracts to include right-to-audit clauses, cybersecurity requirements, incident notification SLAs, and termination provisions.

4. Establish a Review Cadence

Risk isn’t static. Create an annual or biannual review cycle for higher-risk vendors, and monitor critical suppliers continuously if budget allows.

5. Educate Internal Stakeholders

Procurement, legal, and business units need to understand their role in third-party risk. Make this a shared responsibility. 

Final Thoughts: Don’t Wait for a Breach to Get Serious 

In 2025, third-party risk management isn’t optional—and it’s not just about compliance. It’s about resilience, trust, and operational continuity. The attack surface will only grow as digital ecosystems expand, and customers, regulators, and your board will expect answers before—not after—an incident. 

At Internetwork Engineering, a Presidio company, we help organizations strengthen their supply chain security through strategic guidance, risk assessments, and implementation support for frameworks like NIST, CMMC, and Zero Trust. 

Ready to assess or improve your third-party risk program? 

Let’s talk about where you are today—and where you need to be to stay compliant and secure in 2025.