---
id: "action-vet-vendors"
type: "action-item"
source_timestamps: ["¶13"]
tags: ["supply-chain-risk", "vendor-management"]
related: ["framework-dobrygowski-smb-cyber-defense", "question-government-vendor-guidance"]
action: "Evaluate vendor security forms using government-provided guidance."
outcome: "Mitigates supply chain vulnerabilities and ensures third-party security compliance."
speakers: ["Daniel Dobrygowski"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Vet Vendor Security via Government Guidance

**Action:** Don't just collect security forms from vendors — actively evaluate their responses. Because many companies don't know what to look for in these forms, leverage guidance provided by government agencies to properly assess vendor vulnerability.

**Outcome:** Mitigates supply-chain vulnerabilities and ensures third-party security compliance.

**Where it fits:** Step 5 ("Vet your vendors") of [[framework-dobrygowski-smb-cyber-defense]].

> [!question] Which guidance? (open question)
> The source doesn't name the agencies or documents. See [[question-government-vendor-guidance]]. Enrichment points to CISA third-party-risk resources and NIST SP 800-161 (Supply Chain Risk Management) as the canonical references a domain expert would cite.


## Related across articles
- [[action-probe-high-risk-partners]]
- [[concept-extraorganizational-risk]]
