Interesting data point from CISA's latest emergency directive - supply chain attacks have increased 250% from 2021-2024 (62โ219 incidents).
Technical breakdown: - Primary attack vector: Third-party vendor compromise (45% of incidents) - Average dwell time in supply chain attacks: 287 days vs 207 days for direct attacks - Detection gap remains significant - Cost differential: $5.12M (supply chain) vs $4.45M (direct attacks)
CISA's directive focuses on: - Zero-trust architecture implementation - SBOM (Software Bill of Materials) requirements - Continuous vendor risk assessment
Massachusetts highlighted as high-risk due to tech sector density and critical infrastructure.
Would be interested in hearing from those implementing SBOM strategies - what tools/frameworks are working?