Quote & Qualify!
from Brightleaf Supplier Readiness by Security Done Easy
Security readiness for suppliers who are ready for bigger contracts.
Hello, and welcome.
This week is about the moment after something goes wrong.
Many supplier security questions are really asking the same thing in different words: if there is a security incident, will you know who to call, what to say, what evidence to preserve, and how quickly the buyer needs to hear from you?
That can feel like a large-enterprise problem. It is not. A small supplier can start with one practical page: an incident notification card. It will not solve every incident, but it will help you avoid confusion when time matters.
THE QUALIFYING MOVE
📇 Build your customer incident notification card
When a buyer asks about incident response, breach notification, ransomware, business continuity, or customer communication, they are not only asking whether you own a long policy. They are asking whether your team can recognize a problem, escalate it to the right person, protect evidence, and notify the right customer contact on time.
That matters because reporting clocks are becoming more visible. The Cybersecurity and Infrastructure Security Agency’s CIRCIA rulemaking is focused on covered cyber incident and ransom payment reporting requirements for covered entities, and CISA scheduled revised virtual town halls for June 15-18, 2026 to gather more stakeholder input on the scope and burden of the rule (Federal Register notice via GovInfo). MeriTalk reported that the proposed CIRCIA requirements would require covered entities to report certain cyber incidents to CISA within 72 hours and ransomware payments within 24 hours (MeriTalk).
Defense-adjacent suppliers are seeing the same direction in contract-specific language. A Defense Personal Property Program advisory says transportation service providers and subcontractors must notify the USTRANSCOM Cyber Operations Center as soon as practical, but no later than 72 hours after discovering a reportable cyber incident, and must provide a follow-on report within 5 calendar days (DoD advisory PDF).
You do not need to wait for a crisis to organize this.
Good enough to start looks like a one-page card with:
Internal lead: the person who decides whether something becomes an incident.
Backup lead: the person who acts if the first person is unavailable.
Customer contact path: where to find contract-specific notice requirements and buyer security contacts.
IT support contact: your managed service provider, platform admin, web host, or technical responder.
Insurance contact: cyber insurance or business insurance claim contact, if you have one.
Legal or advisor contact: only if applicable, but name the person now instead of searching later.
Evidence reminder: do not wipe devices, delete logs, reset systems, or close accounts before preserving what happened unless a trusted responder tells you to.
Notification clock: capture when the issue was discovered, who discovered it, and when it was escalated.
What to do this week:
Pull one customer contract, one security questionnaire, and one customer portal requirement.
Search for words like “incident,” “breach,” “ransomware,” “security event,” “notice,” “notification,” and “report.”
Write down any deadlines, required contacts, reporting portals, and required content.
Put those details into your incident notification card.
Save a PDF copy and keep the editable version where your leadership team can find it.
Evidence to keep:
The incident notification card.
Date created and date last reviewed.
A screenshot or excerpt of the customer requirement you used.
A list of who received the card internally.
A simple review note showing you will refresh it at least twice a year or when customer requirements change.
BEHIND THE BUYER’S DESK:
🔐 Why buyers ask about incident response
When buyers ask, “Do you have an incident response plan?” they are trying to learn whether a supplier will go quiet during the exact moment the buyer needs visibility.
They are not expecting a small business to sound like a Fortune 100 security operations center. They are looking for signs that the supplier understands its obligations and will not improvise under pressure.
Answers that create confidence:
“We maintain an incident contact list with internal, customer, technical, and insurance contacts.”
“We track discovery time, escalation time, affected systems, affected data, and containment actions.”
“We review contract-specific notification timelines before work begins.”
“We preserve relevant logs, messages, tickets, screenshots, and affected files before making major changes.”
“We notify customers according to contract terms and applicable legal or regulatory requirements.”
Answers that create follow-up questions:
“We would notify customers if needed.”
“Our IT person handles that.”
“We have never had an incident.”
“We would know what to do.”
“Our systems are secure, so this should not happen.”
What suppliers should avoid saying: do not promise a fixed notification deadline unless you know the customer contract, law, or regulation that applies. “Immediately” sounds reassuring, but it may create confusion if your actual obligation is “without unreasonable delay,” “within 24 hours,” “within 72 hours,” or through a specific portal.
How buyer-side teams can make this easier: ask for the supplier’s incident contact role, notification process, and evidence-preservation approach before asking for a full incident response plan. For a small supplier, a clear one-page escalation process may be a better first readiness signal than a long document nobody uses.
AI READINESS WATCH
✨ Shadow AI is becoming an access-control question
Shadow AI is not only about what employees type into a chatbot. It is also about which AI tools, browser extensions, and OAuth connections have access to business systems.
Push Security’s May 28 research says the average organization in its customer data had 16 unique AI apps, 17 AI browser extensions, and 17 AI OAuth integrations connected into Google Workspace and Microsoft 365 in active use during an average week in April 2026 (Push Security). The same research says 67 percent of generative AI users on corporate devices are using non-corporate accounts, citing Verizon DBIR data, and says 38 percent of file uploads to AI tools in Push data came from shadow accounts rather than approved organizational accounts (Push Security).
This source is vendor research, so treat the exact numbers as directional, not universal. The readiness lesson is still useful: buyers are going to ask suppliers how they control AI access to customer data, not just whether employees are allowed to use AI.
What suppliers should document:
Approved AI tools and what each tool may be used for.
Whether customer data, Federal Contract Information, Controlled Unclassified Information, source code, proposals, or financial data may be entered into AI tools.
Whether employees may use personal AI accounts on company devices.
Which AI browser extensions are allowed.
Which AI tools are connected to Google Workspace, Microsoft 365, Salesforce, GitHub, project management tools, or file storage.
How often OAuth app connections are reviewed.
What buyers should ask without overburdening small suppliers:
“Do you allow employees to use AI tools with our data?”
“Do you have an approved AI tools list?”
“Do you allow personal AI accounts for customer work?”
“Who can approve an AI tool connection to email, files, CRM, code, or ticketing systems?”
“Can you remove an AI connection if an employee leaves or a tool is no longer approved?”
The goal is not to ban useful AI. The goal is to know where customer data and account access are going.
REQUIREMENT WATCH
📄 Incident reporting expectations are moving from policy language to operating detail
CIRCIA is not final for every covered entity, but the rulemaking is moving through practical implementation steps. The May 26 Federal Register notice says the CISA town halls are intended to give external stakeholders a limited additional opportunity to provide input on refining the scope and burden of the CIRCIA Notice of Proposed Rulemaking (Federal Register notice via GovInfo).
For suppliers, the lesson is not “memorize every rule.” The lesson is “know which reporting clocks apply to your work.”
The DoD personal property advisory is a useful example because it turns cybersecurity readiness into award and performance conditions. It says transportation service providers and subcontractors must complete CMMC Level 1 continuous compliance affirmations in the Supplier Performance Risk System for relevant systems by March 15, 2026, and that affirmation is required to be awarded shipments picking up on or after May 15, 2026 (DoD advisory PDF). The same advisory says Level 2 affirmation is required by March 15, 2027 for relevant systems and is required for shipments picking up on or after May 15, 2027 (DoD advisory PDF).
Who this affects now:
Suppliers with federal, defense, critical infrastructure, or regulated customers.
Suppliers that handle Federal Contract Information, Controlled Unclassified Information, personally identifiable information, operational data, or customer business files.
Subcontractors whose prime contractors flow down cybersecurity or incident reporting terms.
Small businesses that do not think of themselves as “critical infrastructure” but serve customers that do.
What suppliers should do now:
Build the incident notification card from this week’s qualifying move.
Review contract language for notice deadlines and required recipients.
Ask prime contractors or customers whether incident notices should go through a portal, security mailbox, contracting officer, supplier manager, legal contact, or all of the above.
Keep evidence that the process exists and that the right internal people know where to find it.
What buyer-side teams should communicate clearly:
What counts as a reportable incident for that contract.
When the reporting clock starts.
Which contact or portal should receive the first notice.
What information is required in the first notice versus the follow-up.
Whether a supplier should notify even if the facts are incomplete.
SUPPLY CHAIN SIGNALS
✅ Federal procurement is putting more weight on oversight and integrity
GSA announced on May 28 that it is joining the White House Task Force to Eliminate Fraud and said it will bring federal procurement, technology, and operational expertise to identify vulnerabilities, strengthen oversight, and root out fraud, waste, and abuse across contracting programs (GSA).
For suppliers, this is not just a fraud story. It is a signal that federal buyers and prime contractors may keep asking for better documentation, clearer ownership, cleaner representations, and more consistent records.
For enterprise supplier development teams, the opportunity is to turn oversight into readiness support. If a requirement matters, explain the evidence that proves it. If a portal asks for a certification, tell suppliers what records they should keep behind the answer. If a contract includes security or reporting obligations, make the first step clear before there is a problem.
The supplier that can say “here is our process, here is who owns it, here is the evidence, and here is when we last reviewed it” is easier to qualify than the supplier that sounds confident but cannot show its work.
SECURITY NEWS THAT CHANGES THE QUESTIONNAIRE
Social engineering reached the incident-notification table
Carnival Cruise Line notified 5,995,277 customers after an April 10 breach in which an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of the company’s IT system (BleepingComputer).
Why buyers care: buyers may ask suppliers how they train staff to recognize social engineering, how they verify unusual requests, and how they determine whether personal information was copied.
Supplier move: add social engineering to your incident examples and make sure your incident card says who investigates suspicious access, not just malware.
CRM and franchise records are customer-data questions
7-Eleven said an unauthorized third party accessed systems used to store franchisee documents, while BleepingComputer reported that ShinyHunters claimed it breached 7-Eleven’s Salesforce environment and Have I Been Pwned found 185,300 exposed people in the leaked data (BleepingComputer).
Why buyers care: buyers may ask whether supplier CRM, franchise, partner, or customer-support systems contain personal information and who can export it.
Supplier move: list which systems store customer or partner personal information, who has export rights, and how you would know if records were copied.
Website platforms remain supplier risk
CISA added a Drupal vulnerability, CVE-2026-9082, to its Known Exploited Vulnerabilities catalog after exploitation was detected in the wild, and BleepingComputer reported that Imperva observed more than 15,000 attack attempts against almost 6,000 sites across 65 countries (BleepingComputer).
Why buyers care: a supplier website, portal, knowledge base, or form can still create risk even if it is not the main product.
Supplier move: know who patches your website platform, how quickly critical updates are applied, and whether customer data is collected through the site.
Hosting control panels deserve owner-level attention
CISA urged all defenders, including the private sector, to prioritize fixes for CVE-2026-48172, an actively exploited LiteSpeed cPanel user-end plugin vulnerability that can allow remote attackers with no privileges to execute scripts with root privileges (BleepingComputer).
Why buyers care: suppliers often rely on web hosts, agencies, or consultants for websites and customer portals, but buyers still expect the supplier to know who owns patching.
Supplier move: ask your web host or website manager whether your hosting control panel, CMS, plugins, and server components are patched, then save the answer.
Fake support is a third-party access issue
The FBI warned that Silent Ransom Group actors pose as IT support, direct employees to grant remote desktop access, and may send someone in person to insert USB or external storage into a victim’s computer if remote access fails (BleepingComputer).
Why buyers care: buyers may ask whether suppliers verify support requests before granting remote access or physical access to company systems.
Supplier move: document your approved support contacts and require callback verification before remote access, admin access, or unexpected onsite computer work.
QUESTION OF THE WEEK
❓ A customer asks how quickly we notify them after a security incident. What can we say if we are a small business?
Short answer: say that you follow contract requirements, preserve evidence, escalate internally, and notify the customer through the required contact path as facts become available. Do not invent a deadline if you do not know which deadline applies.
Why the question matters: incident notice language can be contractual, regulatory, customer-specific, and time-sensitive. The wrong answer can create expectations you cannot meet.
What to do first:
Find the incident notice section in the contract, portal, or questionnaire.
Identify the reporting clock and when it starts.
Identify the required recipient.
Identify what information belongs in the first notice.
Add those details to your incident notification card.
Evidence to keep:
Contract excerpt or portal screenshot showing the requirement.
Your incident notification card.
Internal owner and backup owner.
Review date.
Any customer clarification email.
What can wait: a fully polished enterprise incident response plan can come later. Start with the contact path, decision owner, evidence-preservation rule, and customer-specific timing.
READY-TO-SEND LANGUAGE
🪴 Use or adapt this
Use or adapt this language when a customer asks about incident response:
We maintain an incident escalation and customer notification process that identifies internal decision owners, technical support contacts, and customer-specific notice paths. If we discover a security incident that may affect customer data, systems, or contract performance, we preserve relevant evidence, escalate internally, review the applicable contract or portal notice requirement, and notify the customer through the required contact method as facts become available. We review this process periodically and update it when customer requirements change.
BEFORE YOU GO
Readiness is not about having every answer memorized. It is about knowing where the requirement lives, who owns the next step, and what evidence shows you took the requirement seriously.
This week, make one page. Name the people. Add the customer contact path. Write down the reporting clock. Keep the evidence.
That is how a supplier moves from “we would figure it out” to “we have a process we can show you.”
Question for you: “What is one requirement you have seen in a customer questionnaire, RFP, portal, or contract that you are not sure how to answer?”
Until next week,
Alexia
Brightleaf Supplier Readiness™️ by Security Done Easy®
PS. Looking for Phish & Tell, our sister newsletter with cybersecurity advice for small and micro businesses?