link rel="stylesheet" href="https://unpkg.com/@phosphor-icons/web@2.1.1/src/regular/style.css"

Are You Operating in a Regulated Supply Chain Without Knowing It?

Brian Gallagher
General Manager, Koniag Cyber
min. read
View on Original Source
min. read

This is part 2 of a 5-part series focused on what separates regulated industries in cybersecurity and how risk continues to evolve for all commercial enterprises. Read Part I here.

In today’s business environment, it’s not always obvious when you’re operating within a regulated supply chain. You might not manufacture defense systems, store patient records, or handle financial transactions directly, and that might not matter one bit. If your clients do, then your business could still be subject to more stringent regulations.

This is increasingly common in industries like defense, healthcare, and finance, where compliance obligations extend beyond the primary organization to include vendors, service providers, and software suppliers. This has a name, and you need to know it and the potential impact on your company. It’s called inherited compliance.

The Nearly $10M Genomic Sequencing Vulnerability

In late July of this year, the U.S. Department of Justice issued this release, describing how a leading genomics biotech company sold government agencies genomic sequencing systems with software that had cybersecurity vulnerabilities. It was deemed that the company did not have adequate security programs and sufficient quality systems to identify and address those vulnerabilities.

Assistant Attorney General Brett A. Shumate was quoted as saying, “Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks.” 

As this biotech leader entered agreements with federal agencies, it inherited more stringent compliance, and it cost the company nearly $10M to resolve the matter.

Why This Matters 

  • Subcontractors supporting a prime federal contractor must often comply with frameworks like CMMC, NIST SP 800-171, or FISMA.
  • SaaS vendors serving hospitals must meet HIPAA requirements.
  • Software developers shipping products to DoD customers must provide SBOMs and adhere to NDAA Sec. 889.

You may not see yourself as a regulated entity, but your contracts, data flows, and partnerships might tell a different story that equates to you being accountable.

At Koniag Cyber, we help organizations uncover these hidden obligations and build right-sized security strategies to stay compliant and competitive.

About the resource
What you'll learn
Who is this resource for?
Download Are You Operating in a Regulated Supply Chain Without Knowing It?
Download Resource
We appreciate you connecting
A Koniag Cyber team member will be in touch. Thank you.
Oops! Something went wrong while submitting the form.
You might also like
Article
September 3, 2025
What is a Regulated Industry—and Why Should You Care?
Press
September 3, 2025
Koniag Capital Announces Koniag Cyber Solutions, Expanding Service to Commercial Clients in Highly Regulated Industries
Want to get and stay ahead of next-generation threats?
Let's Get to Work
WorkServicesIndustriesAbout UsThe CatchLet's Talk
Koniag Cyber is part of the Koniag family of companies. Koniag is an Alaska Native Corporation created under the Alaska Native Claims Settlement Act (ANCSA), representing the Alutiiq people of Kodiak Island
© 2025 Koniag Cyber Solutions, LLC
Privacy Policy
Terms of Service