A Predictive Supply Chain Cyber Risk Intelligence Framework for Infrastructure and Defense Projects

The SolarWinds SUNBURST campaign, publicly disclosed in December 2020, set new standards for supply chain cyberattack sophistication by demonstrating that adversaries can compromise thousands of organizations simultaneously, including major government agencies worldwide, by corrupting a trusted software vendor's build environment and distributing a backdoored update through legitimate vendor channels. This approach bypassed substantial perimeter defenses. The Kaseya VSA attack in mid-2021 further demonstrated that advanced supply chain attack capabilities had transitioned from nation-state actors to financially motivated ransomware groups, who deployed ransomware across hundreds of managed service provider client organizations via zero-day vulnerabilities in platform software. Collectively, these campaigns revealed that conventional periodic, questionnaire-based supplier assessment approaches focused solely on first-tier suppliers, conducted annually, and reliant on self-reported security posture are inadequate for managing the dynamic supply chain cyber risk environment. This paper describes the Predictive Supply Chain Cyber Risk Intelligence (PSCRI) framework, which integrates structured threat intelligence analysis, multi-dimensional supplier risk profiling, Software Bill of Materials (SBOM) vulnerability analysis using the CycloneDX format, behavioral anomaly detection for suppliers with privileged access, and predictive risk scoring. The framework empowers infrastructure and defense project operators to continuously anticipate, assess, and mitigate third-party cyber risks. The PSCRI framework is grounded in NIST SP 800-161, DFARS 252.204-7012, NIST SP 800-171 and SP 800-172, as well as international supply chain risk management standards. This paper synthesizes supply chain security literature, regulatory requirements, and prior conceptual work on zero-trust architecture and cybersecurity governance to develop a theoretically grounded framework suitable across the defense and critical infrastructure sectors.