If consequences matter, they should apply to vendors, too | CyberScoop<\/title> <meta name=\"description\" content=\"The new Executive Order targets cyber-fraud networks with sanctions and prosecutions, but critics argue the administration's pivot on SBOMs and software attestations creates a dangerous "upstream" security gap.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/washington-cybercrime-executive-order-software-security-gap\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"If consequences matter, they should apply to vendors, too\"> <meta property=\"og:description\" content=\"The new Executive Order targets cyber-fraud networks with sanctions and prosecutions, but critics argue the administration's pivot on SBOMs and software attestations creates a dangerous "upstream" security gap.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/washington-cybercrime-executive-order-software-security-gap\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-03-11T10:00:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg\"> <meta property=\"og:image:width\" content=\"7667\"> <meta property=\"og:image:height\" content=\"5111\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1773182540g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1773167249g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88140\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88140\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fwashington-cybercrime-executive-order-software-security-gap%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fwashington-cybercrime-executive-order-software-security-gap%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88140 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/washington-cybercrime-executive-order-software-security-gap\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.903092783505\">\n<div class=\"single-article__header-content\" readability=\"37.423404255319\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/washington-cybercrime-executive-order-software-security-gap\/\"> <span>Commentary<\/span> <\/a> <\/li>\n<\/ul>\n<p> The latest executive order pushes Washington to crack down on cyber fraud, but a different mandate eases software security accountability, leaving an inconsistent strategy that keeps the attack surface cheap to exploit. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88140\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg 7667w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-3.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"47.118834080717\"><body readability=\"97.416449395591\"><\/p>\n<p>Washington has rediscovered consequences. Just not consistently.<\/p>\n<p>The March 6 <a href=\"https:\/\/www.whitehouse.gov\/presidential-actions\/2026\/03\/combating-cybercrime-fraud-and-predatory-schemes-against-american-citizens\/\">executive order<\/a> rests on a simple, correct idea: cyber-enabled fraud persists because it is profitable, scalable, and too often tolerated. So the government\u2019s answer is to raise the cost. More coordination. More disruption. More prosecutions. More diplomatic pressure on the states that shelter these operations.<\/p>\n<p>Good.<\/p>\n<p>But weeks ago, <a href=\"https:\/\/cyberscoop.com\/omb-rescinds-burdensome-biden-era-secure-software-memo\/\">an OMB Memo<\/a> rescinded earlier federal software supply chain memos issued during the Biden administration. In practice, that pulled back from the prior attestation-centered model and made tools like the Secure Software Development Attestation Form and <a href=\"https:\/\/cyberscoop.com\/tag\/SBOM\/\">SBOM<\/a> requests optional rather than durable expectations.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Put plainly, we are getting tougher on the people exploiting digital systems while getting softer on the conditions that make those systems so easy to exploit.<\/p>\n<p>The executive order gets something important right. Cyber-enabled fraud is not a collection of random online annoyances. It is an industrialized form of predation: <a href=\"https:\/\/cyberscoop.com\/tag\/ransomware\/\">ransomware<\/a>, phishing, impersonation, <a href=\"https:\/\/cyberscoop.com\/tag\/sextortion\/\">sextortion<\/a>, and financial fraud that\u2019s run as repeatable business models, often transnational and sometimes protected by permissive states. The order responds with a more centralized federal posture built around disruption, coordination, intelligence sharing, prosecution, resilience, and international pressure.<\/p>\n<p>That is directionally correct. Criminal ecosystems do not retreat because we publish better guidance. They retreat when the cost of doing business rises.<\/p>\n<p>But then we arrive at software.<\/p>\n<p>The critique of the old federal assurance regime is not entirely wrong. <a href=\"https:\/\/cyberscoop.com\/tag\/compliance\/\">Compliance<\/a> can become theater. Bureaucracies are very good at turning legitimate security goals into rituals of form collection and checkbox management. Some skepticism was warranted. <a href=\"https:\/\/cyberscoop.com\/tag\/office-of-management-and-budget\/\">OMB<\/a> says as much explicitly, arguing the prior model became burdensome and prioritized compliance over genuine security investment.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Still, the failure of bad compliance is not proof that accountability itself was the problem.<\/p>\n<p>That is where the logic breaks. The administration is clearly willing to believe that criminal actors respond to deterrence. It is willing to use prosecutions, sanctions, visa restrictions, and coordinated pressure downstream. But upstream, where insecure technology shapes the terrain those criminals exploit, the theory suddenly changes. There, we are told to trust discretion. Local judgment. Flexible, risk-based decisions.<\/p>\n<p>Sometimes that is wisdom. Often it is just a more elegant way of saying no one wants a hard requirement.<\/p>\n<p>This is also why my own position has not changed. In a <a href=\"https:\/\/www.sonatype.com\/blog\/a-demand-for-real-consequences-sonatypes-response-to-cisas-secure-by-design?utm_source=CyberScoop&utm_medium=media&utm_campaign=etloped\">post I wrote in 2024<\/a>, I argued that the industry did not need softer expectations or another round of polite encouragement. It needed more concrete action and consequences strong enough to change incentives. The problem was never that we were demanding too much accountability. The problem was that insecure software remained too cheap to ship.<\/p>\n<p>That is the deeper issue. <a href=\"https:\/\/cyberscoop.com\/tag\/cybercrime\/\">Cybercrime<\/a> at scale does not thrive only because criminals exist. It thrives because the environment rewards them. Weak identity systems, brittle software, sprawling dependency chains, poor visibility, and diffuse accountability all make predation cheaper. The people who ship avoidable risk rarely absorb the full cost of it. Everyone else does.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>So these two policy moves, taken together, reveal something uncomfortable. The government seems to believe in consequences for cybercriminals, but not quite in consequences for insecure production. It wants deterrence for the scammer, but discretion for the supplier.<\/p>\n<p>A coherent cyber strategy would do both. It would aggressively disrupt criminal networks and also create meaningful pressure for <a href=\"https:\/\/cyberscoop.com\/tag\/secure-by-design\/\">secure-by-design<\/a> production and procurement. It would recognize that punishing attackers matters, but so does changing the terrain that keeps making attack profitable.<\/p>\n<p>The administration is right about one thing: cybercrime will not shrink until the costs of predation rise.<\/p>\n<p>The unanswered question is why that logic should stop at the edge of the scam center.<\/p>\n<p><em>Brian Fox is the co-founder and CTO of Sonatype. <\/em><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"0.38333333333333\">\n<div class=\"author-card\" readability=\"7\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-1.jpg?w=640&ssl=1\" alt=\"Brian Fox\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Brian Fox<\/h4>\n<p> Brian Fox is the founder and CTO of Sonatype. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<div class=\"popular-stories__stories\">\n<div class=\"popular-stories__cards\">\n<article class=\"post-item post-item--popular-stories-cards \" readability=\"21.484813084112\">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/data-center-security-ai-infrastructure-investment-op-ed\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"500\" height=\"337\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-2.jpg?resize=500%2C337&ssl=1\" class=\"attachment-ratio-16-9-md size-ratio-16-9-md wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg 7500w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=300,202 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=768,517 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=1024,690 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=1536,1035 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=2048,1380 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=600,404 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=249,168 249w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=500,337 500w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=1002,675 1002w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/if-consequences-matter-they-should-apply-to-vendors-too-4.jpg?resize=1251,843 1251w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\"> <\/a><figcaption class=\"screen-reader-text\"> Construction on an Oncor electricity power plant by the new Skybox Power Campus data colocation center in North Austin, Texas. Cybersecurity must be table stakes as the data center boom continues, this op-ed argues. (Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\" readability=\"1.7664974619289\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/data-center-security-ai-infrastructure-investment-op-ed\/\"> Why \u2018secure-by-design\u2019 systems are non-negotiable in the AI era <\/a> <\/h3>\n<p> Trillions in AI infrastructure face systemic failure unless security begins at the chip and ends with the grid. <\/p>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/jeffrey-knight\/\"> Jeffrey Knight <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/washington-cybercrime-executive-order-software-security-gap\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If consequences matter, they should apply to vendors, too |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[280,120,282,1599,1571,2807,60,46,5889,1276,2657,3688,1813],"tags":[284,122,286,1601,1572,2808,67,54,5895,1278,2658,3690,1814],"class_list":["post-8421","post","type-post","status-publish","format-standard","hentry","category-commentary","category-compliance","category-cybercrime","category-executive-order","category-office-of-management-and-budget","category-op-ed","category-phishing","category-ransomware","category-sbom","category-secure-by-design","category-sextortion","category-software-security","category-supply-chain","tag-commentary","tag-compliance","tag-cybercrime","tag-executive-order","tag-office-of-management-and-budget","tag-op-ed","tag-phishing","tag-ransomware","tag-sbom","tag-secure-by-design","tag-sextortion","tag-software-security","tag-supply-chain"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/commentary\/\" rel=\"category tag\">Commentary<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/compliance\/\" rel=\"category tag\">compliance<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/executive-order\/\" rel=\"category tag\">Executive order<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/office-of-management-and-budget\/\" rel=\"category tag\">office of management and budget<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/op-ed\/\" rel=\"category tag\">op-ed<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sbom\/\" rel=\"category tag\">SBOM<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/secure-by-design\/\" rel=\"category tag\">secure-by-design<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sextortion\/\" rel=\"category tag\">Sextortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/software-security\/\" rel=\"category tag\">software security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain\/\" rel=\"category tag\">supply chain<\/a>","tag_info":"supply chain","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8421"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8421\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8421,"date":"2026-03-11T05:00:00","date_gmt":"2026-03-11T10:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88140"},"modified":"2026-03-11T05:00:00","modified_gmt":"2026-03-11T10:00:00","slug":"if-consequences-matter-they-should-apply-to-vendors-too","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/03\/11\/if-consequences-matter-they-should-apply-to-vendors-too\/","title":{"rendered":"If consequences matter, they should apply to vendors, too"},"content":{"rendered":"