This from CISA/NIST regarding Cyber Supply Chain Risk Management (CSCRM or C-SCRM) is a good read. They recommend a serious focus on supplier relationships and strongly suggest that organisations require that suppliers evidence their attention to information security with a certification (presumably ISO27001 or SOC2).
