Quote & Qualify!
from Brightleaf Supplier Readiness by Security Done Easy
Security readiness for suppliers who are ready for bigger contracts.
Hello, and welcome.
This week’s theme is access evidence.
Many supplier questionnaires ask some version of the same question: who can get into the systems that matter, and how do you know they still should?
That question can show up as MFA. It can show up as admin access. It can show up as vendor access, subcontractor access, Microsoft 365 security, incident response, or CMMC affirmation. Underneath all of it, the buyer is trying to understand whether access is known, limited, reviewed, and removable.
For suppliers, this is good news. You do not need a perfect security program to start building confidence. You need a clear list, a review habit, and a few pieces of evidence that show you are paying attention.
THE QUALIFYING MOVE
🧾 Create your access review evidence
This week, build a simple access review for the systems that would matter most to a customer.
An access review is just a documented check of who has access to important systems and whether they still need it. It is one of the simplest ways to show a buyer that your security program is real, not just aspirational.
Start with these systems:
Email.
Cloud file storage.
Accounting or invoicing.
CRM or customer database.
Website admin.
Payroll or HR.
Customer portals.
Any system used for contract delivery.
Any AI or automation tool that can access customer or business data.
What to capture
Evidence | What it proves | Where to start |
User list | You know who has access | Export or screenshot active users |
Admin list | Privileged access is visible | Identify owners, admins, and super admins |
MFA status | Important accounts are not password-only | Screenshot MFA coverage or policy settings |
Former-user check | Departed users are removed | Compare against current team list |
Shared-account check | Access is attributable to people | List shared logins and plan replacements |
Review date | This is an ongoing habit | Save the date and reviewer name |
What “good enough to start” looks like
Good enough is not a formal audit. Good enough is a dated note that says:
We reviewed access to email, cloud storage, accounting, and the customer portal on May 26, 2026. We confirmed current users, removed two inactive accounts, verified admin users, and confirmed MFA is enabled for admin access. Remaining action: replace one shared login with named user accounts.
That one paragraph is more useful than a vague “yes, we control access.”
Do this this week
Pick three systems that matter most to customer work.
Export or screenshot the user list.
Mark each user as keep, remove, or confirm.
Remove accounts that no longer need access.
Check which users are admins.
Save proof that MFA is enabled for admin accounts.
Write a short dated review note.
Keep the evidence in your security readiness folder.
BEHIND THE BUYER’S DESK:
🔐 Why buyers ask about admin access
When a buyer asks about access control, they are not only asking whether your team can log in securely.
They are asking whether one compromised person could expose the buyer’s data, interrupt service, change payment details, delete records, or create new accounts without anyone noticing.
This is why admin access matters so much. Admin users can often do more than regular users. They can change settings, add people, export data, connect apps, bypass normal workflows, or turn off alerts.
What creates confidence
A confident answer is specific:
Administrative access is limited to two named users. MFA is required for admin access. We review admin users quarterly and when staff or contractor roles change. Shared admin accounts are not permitted for in-scope customer systems.
A weaker answer is:
Only authorized people have access.
The weaker answer may be true, but it gives the buyer no way to understand how access is defined, reviewed, or removed.
What suppliers should avoid
Avoid saying “everyone needs admin access” unless that is genuinely true. Avoid keeping former employees, old contractors, or unused agency accounts “just in case.” Avoid shared admin accounts where nobody can tell who actually made a change.
If shared access still exists, be honest and show the improvement plan:
We have one legacy shared admin login for the website platform. We are replacing it with named admin accounts and will complete that change by June 15.
That answer is much better than pretending the issue does not exist.
What buyer-side teams can do better
Instead of asking:
Do you have access controls?
Ask:
For systems that will process, store, transmit, or provide access to our data, who has administrative access, how often is access reviewed, and how quickly can access be removed when someone leaves or changes roles?
That question helps suppliers give evidence instead of slogans.
AI READINESS WATCH
✨ AI phishing kits are turning access into a subscription business
The FBI warned on May 21 about Kali365, a phishing-as-a-service platform first seen in April 2026. According to the FBI, Kali365 is distributed through Telegram and helps attackers capture Microsoft 365 OAuth tokens, bypass MFA, and gain persistent access to Outlook, Teams, and OneDrive without needing the user’s password again (FBI IC3).
The FBI says Kali365 includes AI-generated phishing lures, automated campaign templates, real-time target tracking dashboards, and OAuth token capture capabilities (FBI IC3).
This matters for supplier readiness because many suppliers rely on Microsoft 365 as the operating system of the business. If an attacker gains persistent access to email, Teams, OneDrive, or SharePoint, they may be able to see customer files, invoices, contracts, portal invitations, and internal discussions.
Why this matters for qualification
A buyer may ask:
Do you require MFA?
Do you monitor suspicious logins?
Can you revoke sessions?
Do you restrict OAuth app consent?
Can you identify unauthorized devices or active sessions?
Do you have a process for account compromise?
Those questions are not theoretical. They are about whether the supplier can recover control when a login still looks legitimate.
What suppliers should document
Create a one-page “Microsoft 365 access evidence” note if Microsoft is in scope:
MFA status for users and admins.
Whether device-code flow is restricted or reviewed.
Whether users can approve third-party apps without admin review.
Where suspicious sign-ins are reviewed.
Who can revoke sessions.
Who receives security alerts.
How quickly access can be removed after a staff change.
What buyers should ask
Instead of asking only:
Do you use MFA?
Ask:
How do you review and revoke suspicious Microsoft 365 sessions, connected apps, and unauthorized devices for accounts that can access our data?
That is a better question because token theft and device-code phishing can bypass the comfort of a simple MFA checkbox.
REQUIREMENT WATCH
📄 CMMC affirmations make access evidence more important
The Department of Defense CMMC page says Phase 1 implementation began November 10, 2025 and runs through November 9, 2026, with the phase focused primarily on CMMC Level 1 and Level 2 self-assessments. The page also reminds organizations to submit affirmations with CMMC assessments in the Supplier Performance Risk System, or SPRS (DoD CIO).
For Level 1, CMMC requires an annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR 52.204-21. For Level 2, the program uses the 110 security requirements in NIST SP 800-171 Revision 2, with assessment requirements and annual affirmation tied to the type of information processed, stored, or transmitted (DoD CIO).
The key word is affirmation.
An affirmation is more than “we think we are doing this.” It means someone with authority is saying the organization meets the requirement. That makes evidence important.
What suppliers should do now
If you expect CMMC, FAR 52.204-21, NIST SP 800-171, or similar requirements to appear in buyer conversations, start saving evidence for the controls you already claim.
For access control, that might include:
MFA policy screenshots.
User and admin lists.
Access review notes.
Account removal records.
Password manager or single sign-on policy notes.
Role-change and offboarding checklist evidence.
This does not replace an assessment. It makes your answers more supportable.
What buyer-side teams should communicate clearly
If you ask a supplier to affirm a requirement, tell them what evidence you expect to see.
For example:
For access control, acceptable evidence may include screenshots of MFA settings, dated user access review notes, admin user lists, offboarding procedures, or relevant policy excerpts.
Clear evidence examples help suppliers respond accurately and reduce unnecessary back-and-forth.
SUPPLY CHAIN SIGNALS
✅ Procurement is treating cyber risk as a lifecycle issue
GSA’s Cyber-Supply Chain Risk Management acquisition subpart says cyber-supply-chain risk management applies across all phases of the acquisition lifecycle and at all levels of the supply chain for GSA-funded contracts and orders, regardless of estimated value (Acquisition.gov).
The same subpart defines cyber-supply-chain events broadly, including IT security incidents, prohibited sources or articles, and identified supply chain risk information (Acquisition.gov).
For suppliers, the lesson is that security readiness is not only a pre-award questionnaire. It can affect award, performance, incident notification, subcontractor decisions, and past performance.
Why this matters for suppliers
If a supplier treats security questions as a one-time paperwork exercise, they may be surprised later when a customer asks about an incident, a subcontractor, a prohibited tool, or a change in the supply chain.
Suppliers should keep:
A current system list.
A vendor and subcontractor list.
Access review evidence.
Incident contact information.
Security-relevant contract clauses.
Notes on any tools, sources, or services a customer prohibits.
Why this matters for buyer-side teams
If supplier risk is a lifecycle issue, buyer-side teams need a lifecycle communication plan.
That means suppliers should know:
What changes must be reported.
Where to report incidents.
Which subcontractor changes require approval.
What evidence must be refreshed.
Who owns security questions after award.
The best supplier programs do not only screen suppliers. They help suppliers stay ready.
SECURITY NEWS THAT CHANGES THE QUESTIONNAIRE
🎣 Microsoft 365 token theft is now a supplier-risk question
The FBI says Kali365 can capture OAuth access and refresh tokens, giving attackers access to Microsoft 365 services such as Outlook, Teams, and OneDrive without needing the password or additional MFA challenges (FBI IC3).
Why buyers care: A supplier’s email and cloud files may contain customer contracts, invoices, credentials, project files, or sensitive communications.
Supplier move: Document who can revoke sessions, how suspicious logins are reviewed, and whether device-code flow or app consent is restricted.
↗ The 2026 DBIR says attackers are shifting toward exploited systems
Verizon’s 2026 DBIR page says software vulnerabilities now start more breaches than stolen passwords and that generative AI is bolstering multiple attack techniques across the threat lifecycle (Verizon DBIR).
Why buyers care: Supplier questionnaires may put more emphasis on patching, vulnerability management, and software inventory instead of relying only on password and MFA questions.
Supplier move: Keep a simple patching record for laptops, servers, websites, and key business software. If you outsource IT, ask your provider for a monthly patch status summary.
💸 Ransomware remains part of the buyer’s continuity concern
Verizon’s 2026 DBIR page says ransomware is involved in breaches even as payout dynamics shift, and the report positions incident response planning as part of practical defense (Verizon DBIR).
Why buyers care: A supplier hit by ransomware may stop delivering services, lose customer data, or miss contractual obligations.
Supplier move: Keep evidence that backups exist, restores are tested, and someone knows who to contact if systems are encrypted.
📆 CMMC self-assessments need annual affirmations
The DoD CMMC page says Level 1 requires annual self-assessment and annual affirmation, while Level 2 includes assessment requirements and annual affirmation tied to NIST SP 800-171 Revision 2 (DoD CIO).
Why buyers care: For applicable defense work, a supplier’s cybersecurity status is not just a one-time answer.
Supplier move: Treat affirmations as evidence-backed statements. Keep the dated proof behind each control you claim.
QUESTION OF THE WEEK
❓ The questionnaire asks if we review user access. What counts as a review?
Short answer: a review means you checked who has access, confirmed who still needs it, removed what no longer belongs, and kept a record.
It does not have to be complicated.
Why the question matters
Access changes constantly in small businesses. People leave. Contractors finish projects. Agencies get added to websites. Bookkeepers change. A former employee may still have access to cloud storage. A marketing contractor may still be an admin in Meta Business Suite. A shared login may still exist because it was convenient.
Buyers ask about access reviews because stale access is one of the easiest ways for a small issue to become a bigger incident.
What to do first
Pick one system and review it:
Export or screenshot the current user list.
Identify admins separately from regular users.
Mark each user as keep, remove, or confirm.
Remove users who no longer need access.
Turn on MFA for admins if it is not already enabled.
Write down the date, reviewer, system, and changes made.
What evidence to keep
Keep:
The user list or screenshot.
The admin list.
The dated review note.
A short list of accounts removed.
Any follow-up items, such as “replace shared login” or “confirm contractor access by June 3.”
What can wait
You do not need a formal governance tool to start. A spreadsheet, PDF export, or dated note is enough for many small teams if it is accurate and updated regularly.
READY-TO-SEND LANGUAGE
🪴 Use or adapt this
Use or adapt this language when a customer asks about access reviews:
We periodically review user access for systems that support customer work, including email, cloud storage, accounting, and relevant customer or project systems. The review identifies active users, administrative users, and accounts that no longer require access. We remove inactive or unnecessary accounts and document the review date, reviewer, systems reviewed, and follow-up actions. MFA is required for administrative access where supported.
If you are still building the habit, use this version:
We are formalizing our user access review process. We have started with our primary business systems, including email and cloud storage, and are documenting active users, administrative users, MFA status, and accounts to remove. We will maintain dated review notes and expand the process to additional in-scope systems.
BEFORE YOU GO
Supplier readiness gets easier when you can show your work.
Not in a performative way. In a practical way. Who has access? Who reviewed it? What changed? What evidence did you save?
This week, pick one system and do one access review. If you can do email, start there. If customer work happens in a portal, start there. If a buyer is asking about Microsoft 365, start there.
The first review does not need to be perfect. It needs to exist.
Question for you: “What is one requirement you have seen in a customer questionnaire, RFP, portal, or contract that you are not sure how to answer?”
Until next week,
Alexia
Brightleaf Supplier Readiness™️ by Security Done Easy®
PS. Looking for Phish & Tell, our sister newsletter with cybersecurity advice for small and micro businesses?