Skip to main content
New InterSec is now ISO/IEC 42001 certified for AI management systems Read the announcement
Book a Call
Security Architecture & Engineering
Cybersecurity Advisory
Threat & Vulnerability Management
Compliance Services
Managed Security Services
Cyber Workforce Development
The Company
How We Engage
Capability Statement

Download our Capability Statement for a complete view of InterSec.

Download Now
Learn & Apply
Research & Outcomes
News & Updates ISO/IEC 42001 Certified

The latest milestones, trends, and analysis from the InterSec team.

Read the latest

Client Success Story

Building Cyber Supply Chain Risk Management (C-SCRM) for the U.S. Department of the Interior

The Department of the Interior had to meet Executive Order 14028 across a large network of hardware, software, and service vendors without real-time risk visibility. InterSec, with a product partner, built a C-SCRM program that made supply-chain risk a routine function rather than a special project.

Download the Case Study Read the Story
C-SCRM Federal Engagement in progress
Engagement outcomes
NIST SP 800-53 SR common controls were documented
The program fully met the Executive Order 14028 and OMB M-22-18 directives.
Cyber supply chain risks were identified and addressed across the vendor network.
Client
U.S. Department of the Interior
Sector
Federal
Scope
Vendor risk across multiple bureaus
Drivers
EO 14028 & OMB M-22-18
01

The Challenge

The Department had to comply with Executive Order 14028 while managing a large and varied network of suppliers, and it lacked a centralized way to identify suspect hardware or software in real time. That gap exposed the organization to operational disruption and to the risk of falling out of compliance with federal mandates.

A complex supply chain
Components were hard to authenticate one by one across many providers.
Fragmented visibility
There was no central data to drive proactive threat detection.
High compliance stakes
A lapse could carry both operational and reputational cost.
02

The Approach

InterSec built a C-SCRM program designed to fit into the Department's daily operations, so staff could detect and mitigate supply-chain risk as a routine function rather than a one-off project. Adoption was treated as seriously as the technology.

01
Build a repeatable framework
Establish processes for identifying, analyzing, and mitigating supply-chain risk across the vendor network.
02
Treat adoption as a deliverable
Develop user guides, train stakeholders across bureaus, and hold regular office hours so the practices stick at scale.
03
Surface real-time vendor risk
Integrate tools and dashboards that show vendor status and alert when a posture changes.
03

The Solution in Practice

InterSec introduced secure data-collection pathways, automated software and hardware bill-of-materials reviews, and coordinated intelligence sharing, giving the Department immediate insight and faster response options. Working with a product partner, the program delivered efficient vendor-profile aggregation, SBOM and HBOM analysis aligned with OMB M-22-18, real-time risk monitoring with alerts, secure sharing of risk analyses, clear visualization, and multi-group access tuned to different data needs across the Department.

SBOM and HBOM analysis turns vendor trust into evidence, the difference between assuming a supply chain is clean and proving it.

04

Results & Impact

Real-time monitoring and structured oversight let the Department address supply-chain risks early, improving both compliance and operational stability.

NIST SP 800-53 SR common controls were documented for consistent inheritance, supporting FISMA and FedRAMP compliance for system owners.
The program fully met the Executive Order 14028 and OMB M-22-18 directives.
Cyber supply chain risks were identified and addressed across the vendor network.
05

Key Takeaways

Supply-chain risk has to live in daily operations
A program staff treat as routine catches more than one run as a special project.
Adoption is a deliverable, not an afterthought
User guides, training across bureaus, and office hours are what make a federal program stick at scale.
SBOM and HBOM analysis turns trust into evidence
Confirming components are genuine is the difference between assuming a supply chain is clean and proving it.
Document common controls for inheritance
Capturing the NIST SP 800-53 SR controls once lets many system owners inherit them, which compounds the value.
Capabilities Demonstrated
C-SCRM Framework & ImplementationSBOM & HBOM AnalysisReal-Time Vendor Risk MonitoringFISMA & FedRAMP AlignmentStakeholder Training & Adoption

Working With InterSec

Meeting EO 14028 across a sprawling vendor network takes more than a tool.

It takes a program people actually use. InterSec builds C-SCRM capabilities for federal organizations and helps them stick. Let's discuss your supply-chain risk posture.

Book a Call Download This Case Study

More Case Studies

Explore related work

View all
Risk Management Federal
Securing Global ERP Systems for the U.S. Department of the Army
Read case study
ISSO Support Federal
ISSO Support and DevSecOps for the CMS Marketplace
Read case study
Penetration Testing Federal
Red Teaming and Penetration Testing for the Administrative Office of the U.S. Courts
Read case study