VCRI — Value Chain Risk Institute

The Problem

Vendors are grading their own homework.

Questionnaires. Annual audits. Self-attestation. The tools we use to assess vendor risk were designed for a world that no longer exists.

📋

Questionnaires Don't Work

Vendors self-report. Nobody verifies. The incentive is to check every box, not to tell the truth.

🚨

Audits Are Snapshots

Annual audits measure a single moment. Adversaries operate continuously. The gap is measured in months.

💥

Clean Audits, Real Breaches

SolarWinds, MOVEit, and Change Healthcare all had clean audit reports. The audits didn't stop them from becoming catastrophic supply chain failures.

Traditional risk-to-action: 6 months. VCRI: 6 seconds.

From vendor data ingestion to actionable risk score.

What VCRI Does

Continuous, verified vendor security visibility.

VCRI is the trusted neutral clearinghouse that holds vendor security data in escrow — giving every organization in a value chain continuous, verified visibility into whether the vendors they depend on are actually secure.

Live telemetry from actual security tools. Vendors submit data from the tools they actually run — not a summary, not a questionnaire response.
Not questionnaires. Not external scans. The real data, held in escrow by a nonprofit that answers to no vendor.
Scored against what they should have. Compared to expected security posture — not just what they claim to have in place.
Output: dollars at risk. Per business process, per vendor. Actionable financial risk, not a color-coded dashboard.

Why Vendors Cooperate

Portable Trust

"Answer once. Share everywhere. Stop filling out 50 questionnaires a year."

API Pull Preferred

Data is pulled directly from vendor security tools via API. The vendor doesn't choose what to export — reducing selection bias.

Expected-State Comparison

Actual telemetry is compared against the Secure Controls Framework — an objective, industry-standard baseline for what security should look like.

Nonprofit Governance

A 501(c)(3) board defines what gets collected, how it's scored, and who can see it. No vendor influence. No pay-to-play.

The Methodology

Cyber Assurance Matrix (CAM)

TIPPSS dimensions scored across six asset types at five maturity levels. The gap between actual and required level is the risk signal.

TIPPSS Dimension	Devices	Applications	Networks	Data	Accounts	AI
Trust	1–5	1–5	1–5	1–5	1–5	1–5
Identity	1–5	1–5	1–5	1–5	1–5	1–5
Privacy	1–5	1–5	1–5	1–5	1–5	1–5
Protection	1–5	1–5	1–5	1–5	1–5	1–5
Safety	1–5	1–5	1–5	1–5	1–5	1–5
Security	1–5	1–5	1–5	1–5	1–5	1–5

36 Cells

Each cell maps a TIPPSS dimension to an asset type with a CMM maturity level from 1 (Initial) to 5 (Optimizing).

Gap = Risk Signal

The difference between a vendor's actual maturity and the required level produces a quantified risk signal tied to business impact.

Co-authored Standard

Developed with Mitch Parker, CISO of Indiana University Health and IEEE standard co-chair.

Financial Output

Risk is expressed in dollars at risk per business process — not arbitrary scores or traffic-light dashboards.

Leadership

Board of Directors

VCRI's board brings decades of security leadership from government, healthcare, standards bodies, and critical infrastructure.

Mary Ann Davidson

Former CSO, Oracle (40 years)

Allan Friedman

Created the US SBOM framework (ex-CISA)

Mitch Parker

CISO, Indiana University Health

Tom Cornelius

Founder, Secure Controls Framework

Lee Neely

Sr. Cyber Analyst, LLNL (38 years)

Robert Hill

CEO, Cyturus

Paul Asadoorian

Founder, Security Weekly / Eclypsium

Michael Shea

UN Digital Supply Chain Transparency

Market Context

Regulatory Tailwinds

The global regulatory environment is moving toward exactly what VCRI provides: continuous, verified third-party risk monitoring.

European Union

DORA

The Digital Operational Resilience Act mandates continuous third-party ICT risk monitoring for financial institutions. Effective January 2025.

United States

FedRAMP ConMon

Continuous monitoring requirements for cloud service providers serving federal agencies. Moving beyond point-in-time assessments.

United States

FCC Router Ban

Hardware supply chain urgency. Banning foreign-manufactured routers highlights the need for verified hardware provenance across value chains.

Get Involved

The conversation starts here.

We're building the foundational infrastructure for value chain security. Government agencies and strategic partners who want to be part of defining how this works at scale — reach out.

info@valuechainrisk.org

Joshua Marpet, Founder & President