View of downtown Seattle skyline
Supplier Network | ISO 27001:2022 A.5.19–A.5.23 · CMMC flowdown · Supplier Assurance Programs

Your suppliers' risk is your risk

You depend on dozens of vendors. Each one is a potential vector for a breach, a compliance finding, or a deal that stalls at security review. TractionGRC maps your supplier network across tiers, pulls each vendor's TractionScore™ into the view, and flags the ones worth actual attention.

Know which suppliers introduce real risk
Respond to SSPA, SIG, SIG Lite, CAIQ, or HITRUST requests
Reduce delays from vendor reviews and security questionnaires

Why supplier visibility matters

Supplier risk is where three different things come at you at once: enterprise deals, Stage 2 audits, and the breach that comes through a vendor you never thought about.

Deals stall at supplier review

Enterprise procurement teams do not just ask about your security. They ask about your suppliers' security. "Send us your vendor register with risk ratings" is a question you either answer in a day or chase for a month.

Auditors sample supplier work

ISO 27001 Annex A.5.19 to A.5.23 is one of the most frequently-sampled control families at Stage 2 audits. CMMC C3PAO assessors check the same surface under DFARS 252.204-7021 flowdown. Both want to see supplier register, contractual requirements, monitoring evidence, and termination procedures.

Tier 2 is where it hurts

Most breaches come through a supplier of a supplier. Your Tier 1 vendors may be mature. Their subcontractors often are not. The risk lives two hops away and most registers stop at one.

Acme Demo Co · Supplier Network Risk Map

Explore Acme's supplier network and understand how risk flows across tiers

Compliant (76+) Needs attention (51-75) At risk (<51)
Hover to inspect · Drag nodes to explore · Use "Run simulation" to see how risk can propagate across relationships
VendorConnect™ ID

One ID. Live data. No spreadsheets.

Every organization on TractionGRC gets a VendorConnect ID. Share it with customers and they add you to their supplier map with one click. Your TractionScore stays live on their view, with no questionnaire to re-fill and no spreadsheet to keep current.

  • Unique ID assigned at registration
  • Customers add suppliers with one click
  • Live TractionScore syncs into the map
  • Score changes can trigger upstream review
  • Supports Tier 1, Tier 2, Tier 3 and beyond

Acme Demo Co · VendorConnect ID

TG-AC3E-DEM0 Active

Share this ID with customers to appear on their supplier network map

New connection

Northwind Logistics added Acme as a Tier 1 supplier. Acme's score (76) is now visible on their supplier network view.

2 minutes ago

Where supplier oversight comes from

Supplier risk management is not optional. Four different sources demand it, in four different shapes.

ISO 27001:2022 A.5.19 – A.5.23

Supplier relationships require documented security policies, contractual requirements, supply chain information security, and monitoring of supplier service delivery throughout the relationship lifecycle.

SOC 2 Type II Vendor Management

Trust Services Criteria require controls over vendor selection, due diligence, ongoing monitoring, and incident response procedures for third-party providers.

CMMC 2.0 DFARS 252.204-7021 flowdown

DoD prime contractors must flow CMMC requirements down to subcontractors handling the same CUI. A prime at Level 2 needs every CUI-touching sub at Level 2 for that scope. C3PAO assessors check this directly.

Supplier Assurance Programs SSPA · SIG · CAIQ · HITRUST

Customer-driven questionnaire programs like Microsoft SSPA require direct supplier oversight of subcontractors. TractionGRC includes starter libraries for SSPA (DPR v12), SIG, SIG Lite, CAIQ, and HITRUST.

Supplier Assurance Programs

Run the assurance programs your customers ask for

Customers send you SSPA, SIG, CAIQ, or HITRUST. You send your own vendors the same, or something similar. TractionGRC runs both directions of the workflow from one place, so the work you do answering a questionnaire becomes the evidence you use to issue one.

Included on every plan

Respond to assurance requests

When a customer sends you an SSPA, SIG, SIG Lite, CAIQ, or HITRUST questionnaire, respond directly in TractionGRC. Pull evidence from your controls library, reuse previous responses, and let TractionAI draft answers you can review.

  • Answer questionnaires from customers through a shareable link
  • Reuse evidence across multiple requests
  • Draft responses with TractionAI based on your own controls
  • Export completed responses as a PDF package
Professional and Enterprise

Issue assurance programs from the catalog

Run your own supplier assurance programs at scale. Pick from our starter libraries, assign suppliers, collect evidence, and track readiness across your vendor ecosystem.

  • 5 starter libraries: SSPA, SIG, SIG Lite, CAIQ, HITRUST
  • Build custom programs for your own requirements
  • Assign programs to suppliers in your network
  • Track supplier responses and evidence in one view

Starter libraries in the catalog

Available to issue on Professional and Enterprise plans. Respond to any of these on every plan.

SSPA

DPR v12 · April 2026

Microsoft Supplier Security & Privacy Assurance. Core starter library for Microsoft suppliers.

SIG

2025

Shared Assessments full SIG. Extended supplier assurance for higher-risk or strategic vendors.

SIG Lite

2025

Condensed SIG questionnaire. Suitable for lower-risk vendor reviews.

CAIQ

v4.0

Cloud Security Alliance Consensus Assessments Initiative. Cloud-focused assurance.

HITRUST

i1

HITRUST Implemented (1-year) starter library. Healthcare and regulated assurance.

Starter libraries are editable starting points. You can add, remove, or customize requirements to match your own program. CMMC L2 readiness across your subcontractor base is tracked through the framework toggle on each supplier rather than a separate questionnaire library.

How it works

01

Map your suppliers

Add Tier 1 suppliers by VendorConnect ID for live data, or manually for vendors not yet on TractionGRC.

02

Connect their environment

Suppliers can connect Azure, AWS, or Google Workspace so signal visibility updates automatically instead of relying on manual reporting.

03

Watch risk flow across tiers

TractionScore updates at each node, helping you see where weaker suppliers may create downstream exposure. CMMC contractors can see at a glance which subs hold valid Level 2 certification for the same scope.

04

Export evidence or trigger review

One click exports the supplier register, monitoring log, and review records auditors sample for ISO 27001 A.5.19-A.5.23 and that C3PAO assessors check for CMMC DFARS flowdown evidence. Score drops on a critical supplier trigger a review task, not just a dashboard alert.

Supplier limits by plan

Starter 5 suppliers
  • Tier 1 mapping
  • Manual and connected suppliers
  • Live TractionScore sync
  • Respond to assurance requests
Professional 25 suppliers
  • All Starter features
  • Multi-tier mapping
  • Risk signal propagation
  • Issue assurance programs from catalog
  • ISO and CMMC supplier controls evidence export
Enterprise Unlimited
  • All Professional features
  • Multi-entity scopes
  • Custom assurance programs
  • API access for supplier data
  • Unlimited tiers
Scales with your plan

Start with the 5 suppliers that matter most

Starter includes supplier mapping for your five highest-risk vendors. Professional expands to 25 and unlocks issuing your own assurance programs. Enterprise removes the cap.

Get started View pricing