SUPPLIER SECURITY
Fortress Automates Regulatory Compliance
Access a central repository of third-party risk data to strengthen security and simplify compliance
Demonstrate compliance and quickly adapt to emerging regulations with the most comprehensive third-party risk assessment.
The ability to automate risk identification and remediation is crucial to maintaining an agile compliance program. Fortress Platform provides the ability to initiate a scan on a company, or many companies, that instantly returns insights key to identifying risk. The scan returns a company’s predicted inherent risk, cyber hygiene, geographical footprint, and alerts for potential relationships to entities banned by emerging regulations (including affiliates and subsidiaries).
Instant security and compliance ratings
Out-of-the-box, Fortress provides tools and processes that align with and facilitate managing third-party risk requirements.
- Identify variance between stated and documented compliance levels
- Assess across audit periods and multiple scopes (such as enterprise wide or by data enclave)
- Support multiple internal or external stakeholders for evidence collection and sign-off
- Alert for evidence refresh
- Demonstrate compliance to auditors with CMMC Evidence Packets

VALIDATED
Fortress validation entails rigorous review and continuous monitoring of supply chain risk and software security to ensure enrolled organizations have an effective toolset for identifying and remediating cyber risk associated with third party
vendors.
CONTINUOUS
Web-based tools enable risk illumination and evidence collection by continuously leveraging machine learning to interpret information from public, private, and proprietary data sources. View real-time vendor profiles to illuminate compliance risk, cybersecurity vulnerabilities, obsolescence, and issues like foreign influence.
OPERATIONALIZED
A defined methodology for identifying inherent cyber risk in products and services to carry out a criticality ranking of suppliers and maintained basic C-SCRM controls, as indicated by authoritative sources.

Fortress provides cyber supply chain risk management solutions that help secure over 30% of the US power grid.
We service a wide range of industries, including energy, aerospace and defense, manufacturing, telecommunications, pharmaceuticals, transportation, and others.
EO 13920
Issued to block installation of bulk power system (BPS) electric equipment designed, developed, manufactured, or supplied by US foreign adversaries
Focuses on improving the nation’s cybersecurity by:
- Removing barriers to sharing threat information
- Enhancing software supply chain security
- Standardizing responses to cybersecurity vulnerabilities and incidents
Fortress Solution Applicability
- Fortress’ catalog of vendors and assets is accessible across DOD/GOV to quickly identify risks and threats in the supply chain
- SBOMs allow for better identification and management of software vulnerabilities
- Workflow process allows for traceable, auditable management of risks and vulnerabilities from initial finding to closure
DODI 5000.90
Cybersecurity for acquisition decision authorities and program managers
- SCRM and Cyber-SCRM to include, at a minimum, assessment of potential vendors
- Maintaining a visualization (illumination) of the supply chain for situational awareness of risks and vulnerabilities throughout the program’s supply chain
- Identify the source of products and maintain a complete list that shows the ownership of commercial companies and technology relationships with other entities
- Take action to manage supply chain risks commensurate with the risk tolerance level of the system or mission in question
Fortress Solution Applicability
- Vendor assessments are easily accessed and inexpensive
- Dashboard provides real-time illumination of supply chain risk throughout the life cycle
- Assessments with Related Entity Discovery (RED) provide ownership and relationships for all products/components
- The customized workflow process in the platform allows for accountable tracking of remediation through closure
NDAA Sec 889— A & B
Prohibited telecommunications
Part A: prohibits the government from obtaining certain telecommunications equipment or services produced by covered entities and their subsidiaries and affiliates
Part B: prohibits the government from contracting with any entity that uses certain telecommunications equipment or services provided by the entities listed in the statute
Fortress Solution Applicability
- Fortress’ vendor assessments provide insight into Foreign Influence, and Control (FOCI) that is prohibited by sections 889(a) and 889(b) of the 2019 NDAA
- Vendor assessments include Related Entity Discovery specifically focused on any and all relationships with banned entities
- Assessments are updated as regulations change and new vendors are added and removed
Cybersecurity Maturity Model Certification (CMMC)
All vendors doing business with DOD/GOV will be required to have a CMMC to ensure cyber hygiene practices and the protection of federal contact information (FCI) and controlled unclassified information (CUI).
Fortress Solution Applicability
- Fortress Control Assessments provide objective evidence for CMMC certification
- The platform allows end users to assess potential vendors prior to CMMC implementation to ensure they will meet the requirements for certification
DODI 5000.75
- Drive toward COTS and GOTS solutions to the maximum extent possible
- Cybersecurity strategy for mission essential and mission critical IT
Fortress Solution Applicability
- Fortress product assessments provide greater insight into lower-tiered vendors of components to reduce risks for COT and GOT products
NISTIR 8276
- Cyber Supply Chain Risk Management (CSCRM) guidance that combines existing CSCRM government and industry resources with the 2015 and 2019 NIST research
- Identifies and describes 8 Key Practices for managing cyber risk
Fortress Solution Applicability
- Fortress Platform dashboards support identified practices such as “Know and Manage Critical Suppliers” (Req 3), “Understand the Organization’s Supply Chain” (Req 4), and “Assess and Monitor Throughout the Supplier Relationship” (Req 7)
- Vendor assessments, risk reports, and resultant data support decision making for collaboration (Req 5),
resilience and improvement activities (Req 6), and oversight of the full life cycle (Req 8)
NERC CIP-013
Each responsible entity shall develop one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact BES Cyber Systems.
Fortress Solution Applicability
Out-of-the-box, Fortress provides tools that align with each requirement of CIP-013 including standard assessments that are fully aligned with the North American Transmission Forum (NATF).