---
id: "question-government-vendor-guidance"
type: "open-question"
source_timestamps: ["¶13"]
tags: ["vendor-management", "resources"]
related: ["action-vet-vendors"]
resolutionPath: "Identify and link to specific CISA or NIST guidelines for third-party risk management."
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# What specific government guidance helps vet vendors?

**The gap:** The source advises SMBs to use government-agency guidance to evaluate vendor security forms ([[action-vet-vendors]]), but never specifies *which* agencies (e.g., CISA, NIST) or *which* frameworks/documents to reference.

**Resolution path:** Identify and link specific third-party-risk guidance. Enrichment surfaces the canonical candidates a domain expert would cite:
- **CISA** — resources on third-party risk and secure software development; checklists/questions SMBs can use when vetting vendors; Cyber Essentials.
- **NIST SP 800-161** — Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
- **NIST SP 800-53 / 800-171** — access control, audit, and contingency-planning controls relevant to vendor assessment.
