Quote & Qualify!
from Brightleaf Supplier Readiness by Security Done Easy
Security readiness for suppliers who are ready for bigger contracts.
Hello, and welcome.
This week’s theme is scope before answers.
When a customer questionnaire asks, “Do you use MFA?” or “Do you handle CUI?” or “Do you use AI tools?”, it can feel like the buyer wants a quick yes or no. But the better first move is to understand the scope: which systems, which data, which users, which subcontractors, and which tools are actually involved.
Suppliers do not need to sound like large enterprises to be taken seriously. They do need clear boundaries, honest answers, and evidence that matches the work they will perform.
Buyer-side teams benefit from the same clarity. A well-scoped question gets a better answer, reduces back-and-forth, and helps suppliers improve without guessing.
THE QUALIFYING MOVE
🗺 Build a “what’s in scope?” map
Before you answer a security questionnaire, create a one-page map of what is in scope for the contract or opportunity.
This is not a network diagram. It is a plain-English view of what the buyer’s data, access, or work would touch if you win the contract.
Buyers ask security questions because they need to understand risk. If your answer does not explain the scope, the reviewer may assume the broadest possible interpretation. That can make a manageable requirement look bigger than it is.
Doing this can save you a lot of time and money, and help you qualify more easily.
What to include
Scope area | What to write down | Why buyers care |
|---|---|---|
Work performed | What service or product you will provide | Sets the context for every security question |
Data handled | Customer data, employee data, payment data, contract data, Federal Contract Information, Controlled Unclassified Information, or no sensitive data | Determines which requirements may apply |
Systems used | Email, cloud storage, CRM, accounting, ticketing, website, shared drive, customer portal, AI tools | Shows where the work actually happens |
Access needed | Will your team access the buyer’s systems, your own systems, or both? | Helps buyers assess account and identity risk |
People involved | Employees, contractors, subcontractors, consultants | Helps buyers understand who can touch the work |
Third parties | Hosting providers, SaaS tools, managed IT providers, AI tools, payment processors | Helps buyers understand dependency risk |
Evidence available | Policies, screenshots, access lists, insurance, certifications, training records, incident contacts | Helps the buyer verify the answer |
What “good enough to start” looks like
Good enough is a simple table that lets you answer with precision.
Instead of:
Yes, we use MFA.
Use:
MFA is enabled for the systems in scope for this engagement, including company email, cloud file storage, and accounting. Administrative access is limited to named users, and we review access when roles change.
Instead of:
We do not handle CUI.
Use:
Based on the current statement of work, we do not expect to process, store, or transmit Controlled Unclassified Information. If the buyer identifies CUI in the work, we will request marking and handling instructions before receiving or processing it.
That second answer is stronger because it shows that you understand the requirement and are not guessing.
Do this this week
Pick one current customer, proposal, or contract opportunity.
Write down the systems, data, people, and third parties involved.
Mark which items are definitely in scope, possibly in scope, and not in scope.
Save one piece of evidence for each important system, such as MFA screenshots or an admin user list.
Keep the map in your security readiness folder.
This becomes the starting point for better questionnaire answers.
BEHIND THE BUYER’S DESK:
🔄 Why reviewers ask the same question five different ways
Suppliers often get frustrated when a questionnaire seems repetitive. One section asks about data. Another asks about access. Another asks about subcontractors. Another asks about cloud tools. Another asks about incident notification.
To the supplier, it may feel like duplication.
To the buyer, those questions are connected. The reviewer is trying to understand the path of risk.
For example:
If you handle customer data, where is it stored?
If it is stored in a cloud tool, who administers that tool?
If a subcontractor helps deliver the service, can they access the data too?
If an AI tool summarizes the data, is that a new processing location?
If something goes wrong, who notifies the buyer and how quickly?
The buyer is not only asking whether you have controls. They are asking where those controls apply.
What creates confidence
A confident answer names the boundary.
Good:
For this engagement, the in-scope systems are Google Workspace, QuickBooks Online, and our customer support mailbox. No subcontractors will access buyer data. We do not plan to use AI tools to process buyer-provided confidential information unless separately approved.
Follow-up needed:
We use secure systems and trusted vendors.
The second answer may be sincere, but it does not help the reviewer place the risk. And they are busy and may not have time to figure out what you mean.
What suppliers should avoid
Avoid answering broadly when the question is really about scope. Avoid assuming “not applicable” without explaining why. Avoid naming every tool your company uses if only two systems are relevant to the contract.
The best answers are specific enough to review and narrow enough to be fair.
What buyer-side teams can do better
Instead of asking:
List all systems used by your company.
Ask:
List the systems that will process, store, transmit, or provide access to our data or contract-related work.
That wording helps suppliers focus on the risk that actually matters.
AI READINESS WATCH
✨ AI-built apps are becoming part of supplier scope
AI-assisted app builders are making it easier for non-developers to create internal tools, portals, dashboards, and prototypes. That can be useful, but those apps can also become unreviewed places where customer or company data appears.
IANS reported that RedAccess researchers found roughly 5,000 AI-built, or “vibe-coded,” applications leaking corporate data online because of misconfigured or default public privacy settings. Around 40% of the applications, built across platforms such as Lovable, Base44, Replit, or Netlify, had little or no security or authentication and exposed data such as hospital schedules, go-to-market presentations, and sales records (IANS Research).
The supplier lesson is simple: if an AI-built app touches customer work, it belongs in the scope map.
Why this matters for qualification
Buyers are increasingly asking where their data goes. An AI-built prototype may not feel like a “system” to the person who created it, but it can still store files, expose links, collect form entries, or publish information to the open web.
Suppliers should be ready to answer:
Are AI tools used to perform the work?
Are AI-built apps used internally or externally?
Do those apps process customer, employee, contract, payment, or regulated data?
Are they private by default?
Who approves them before use?
Can you remove or export the data if the customer asks?
What suppliers should document
Create a small AI tools register:
Tool or app | Business use | Data allowed | Owner | Public or private |
|---|---|---|---|---|
AI writing assistant | Drafting and editing | No confidential customer data without approval | Named owner | Private account |
AI-built dashboard | Internal tracking | Test data only until reviewed | Named owner | Private |
Meeting notes tool | Internal summaries | Customer meetings only with approval | Named owner | Private |
What buyers should ask
Instead of asking a broad question like:
Do you use AI?
Ask:
Will any AI tool or AI-built application process, store, summarize, or expose our data or contract-related work? If yes, please identify the tool, purpose, data type, access controls, and owner.
That question is practical without being punitive.
REQUIREMENT WATCH
📄 NIST finalized enhanced CUI requirements
NIST finalized Special Publication 800-172 Revision 3 on May 13, 2026. The publication provides enhanced security requirements for protecting Controlled Unclassified Information, or CUI, in nonfederal systems when the information is associated with a high-value asset or critical program (Wiley).
This does not mean every small supplier suddenly needs to implement the full enhanced control set. It does mean suppliers working near CUI, high-value programs, or defense-related requirements should pay attention.
Wiley noted that the revised controls add material related to acquisition and supply chain risk management, access controls, network segmentation, asset management, and threat detection, and that the updated SP 800-172 requirements are not immediately incorporated into the CMMC program (Wiley).
Who this affects
Most suppliers will not start with SP 800-172. Many will start with basic safeguarding, Federal Contract Information, or NIST SP 800-171 expectations.
But this update matters because it shows where buyer expectations are headed for higher-risk work:
Better asset visibility.
Stronger access control.
Clearer segmentation.
More attention to supply chain risk.
More attention to detection and resilience.
Better ability to identify and handle CUI.
What suppliers should do now
Start with CUI clarity.
If a contract, statement of work, portal, or customer message mentions CUI, ask:
What information is CUI?
How will it be marked?
Which systems may process, store, or transmit it?
Who may access it?
Are subcontractors allowed to receive it?
What security requirements apply before we receive it?
The most important first step is not a tool purchase. It is knowing whether CUI is actually in scope.
What buyer-side teams should communicate clearly
If you expect suppliers to protect CUI, mark it clearly and explain the handling expectation. A supplier cannot protect a category of information it cannot identify.
SUPPLY CHAIN SIGNALS
✅ Verification is replacing “just certify it”
Recent government contracting updates point to a broader theme: buyers and regulators are moving toward verification, documentation, and enforcement instead of relying only on supplier self-certification.
Morgan Lewis reported that federal agencies are increasing scrutiny of domestic sourcing and country-of-origin representations, that cybersecurity requirements tied to CMMC and NIST SP 800-171 are expected to receive enforcement attention, and that recent SBA activity highlights the importance of keeping small-business program documentation accurate and current (Morgan Lewis).
For suppliers, the message is not “be perfect.” The message is “keep your representations supportable.”
Why this matters for suppliers
If you say you have a control, keep evidence. If you say a product has a country of origin, keep supporting documentation. If you say you meet a program requirement, keep the documents that show eligibility. If you say you protect certain data, know which systems and people are in scope.
Security readiness is becoming part of a larger supplier-readiness pattern: buyers want answers they can verify.
Why this matters for buyer-side teams
Verification does not have to mean burying every supplier in paperwork. The better approach is to ask for evidence that matches the risk.
For lower-risk suppliers, a scoped explanation, screenshots, and policy excerpts may be enough to start. For higher-risk suppliers, independent assessments, detailed inventories, contract clauses, or remediation plans may be appropriate.
Proportionality matters. Clear evidence requests help suppliers respond faster and more accurately.
SECURITY NEWS THAT CHANGES THE QUESTIONNAIRE
🎣 Phishing can bypass ordinary MFA
Microsoft reported a phishing campaign that targeted more than 35,000 users across more than 13,000 organizations in April 2026 and used adversary-in-the-middle techniques to capture authentication tokens, which can bypass non-phishing-resistant MFA (Microsoft Security Blog).
Why buyers care: A simple “yes, we use MFA” answer may not show whether high-risk accounts are protected against modern phishing.
Supplier move: Identify which systems use MFA, which users are covered, and whether admin, finance, payroll, and customer-access accounts can use passkeys, security keys, or other phishing-resistant options.
🛠 Collaboration tools are now help-desk attack surfaces
The Hacker News reported on UNC6692 activity in which attackers impersonated IT help desk staff through Microsoft Teams, used email-bombing to create urgency, and pushed victims toward malicious tools or scripts (The Hacker News).
Why buyers care: Supplier employees may be targeted through chat tools, not just email.
Supplier move: Document a support-verification rule: employees should not accept unsolicited remote support, run commands, or install tools from a chat message without verifying through a known support channel.
❓ Vendor breach response is becoming a board-level question
TechCrunch reported that U.S. lawmakers demanded answers from Instructure after Canvas-related breaches, including questions about repeated access, notification, coordination with CISA, and whether the company contained the threat after the first intrusion (TechCrunch).
Why buyers care: Buyers want to know whether suppliers can detect, contain, and communicate about incidents, not just whether they have never had one.
Supplier move: Keep an incident contact list, a customer notification process, and a short incident response plan that explains who makes decisions and how customers are notified.
🔢 CMMC Phase 1 is underway
The Department of Defense CMMC page says Phase 1 began November 10, 2025 and runs through November 9, 2026, focusing primarily on Level 1 and Level 2 self-assessments, with annual affirmations required for applicable assessment levels (DoD CIO).
Why buyers care: Prime contractors and buyers may need to flow requirements down to subcontractors when Federal Contract Information or Controlled Unclassified Information is involved.
Supplier move: Learn the difference between FCI and CUI, and ask whether either type of information will be processed, stored, or transmitted in your systems for the opportunity.
QUESTION OF THE WEEK
❓ The questionnaire asks whether we handle CUI. What if I’m not sure?
Short answer: do not guess.
CUI stands for Controlled Unclassified Information. It is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that requires safeguarding or dissemination controls. The DoD CMMC page explains that CMMC is designed to protect Federal Contract Information and Controlled Unclassified Information in contractor and subcontractor systems (DoD CIO).
If you are not sure whether you handle CUI, the right move is to ask for clarification before you receive or process the information.
Why the question matters
CUI can change the security requirements for a contract. It can affect where data is stored, who can access it, whether subcontractors can receive it, what systems are in scope, and what evidence a buyer expects.
The risk is not only answering “no” when the answer should be “yes.” The risk is also answering “yes” too broadly and making the scope larger than it needs to be.
What to do first
Ask the buyer:
Will this work involve CUI?
If yes, which documents, fields, files, systems, or deliverables are CUI?
How will CUI be marked?
Are we expected to store or process CUI in our systems?
Are subcontractors allowed to access it?
Which clause, standard, or security requirement applies?
What evidence to keep
Keep:
The buyer’s written answer.
The contract clause or solicitation language.
Any CUI marking guidance provided.
A list of systems that would handle the information.
A list of people who would have access.
Notes showing where CUI is not expected to be stored.
What can wait
Do not buy a tool just because the term CUI appears. First confirm whether CUI is actually in scope, where it will live, and which requirement applies.
READY-TO-SEND LANGUAGE
🪴 Use or adapt this
Use or adapt this language when you need to clarify CUI scope:
We want to ensure that we apply the correct handling and security requirements for this opportunity. Based on our current understanding, we are not expecting to process, store, or transmit Controlled Unclassified Information in our systems. If any part of the work will involve CUI, please identify the relevant documents, data elements, markings, contract clauses, and required handling instructions before transmission so we can confirm scope and readiness.
If you already know CUI is involved, adjust the language:
We understand that this opportunity may involve Controlled Unclassified Information. Please confirm which information will be marked or treated as CUI, whether we are expected to store or process it in our systems, and which security requirements apply to our role and any subcontractors before work begins.
BEFORE YOU GO
Readiness starts with knowing the boundary.
You cannot protect every possible system, every possible data type, and every possible tool in the abstract. You can protect the systems, data, users, subcontractors, and workflows that are actually in scope for the work.
This week, pick one opportunity and build the scope map. It will make your answers clearer, your evidence easier to find, and your buyer conversations more productive.
Question for you: “What is one requirement you have seen in a customer questionnaire, RFP, portal, or contract that you are not sure how to answer?”
Until next week,
Alexia
Brightleaf Supplier Readiness™️ by Security Done Easy®
PS. Looking for Phish & Tell, our sister newsletter with cybersecurity advice for small and micro businesses?