CISSP Domain 1: Supply Chain & Awareness Training

On the CISSP, supply chain risk management means acting BEFORE you buy - you assess the vendor, write security into the contract, then monitor them forever, because a one-time assessment is only a snapshot. This Domain 1 deep-dive walks SCRM end to end, from tampering, counterfeits, and malicious implants through 3rd- and 4th-party risk, minimum security requirements, SLAs, continuous monitoring, the Software Bill of Materials, and hardware roots of trust. Then we cross into objective 1.12 and untangle the classic exam trap: awareness versus training versus education. With Professor Erica, Lewis, Sara, and Bella, we cover how to defend against AI-generated phishing and deepfakes, and how to measure whether a security awareness program actually changes behavior.

In this video:

• The three acquisition threats: tampering, counterfeits, and malicious implants
• 3rd party vs 4th party, and the concentration risk that turns one outage into five
• Why the contract is your strongest pre-purchase security control
• Assessment vs continuous monitoring, and why the exam treats them as a pair
• The Software Bill of Materials (SBOM) and what it does and does not do
• Awareness vs training vs education: the what, the how, and the why

The next video moves out of Domain 1 into asset security and data classification. Anchored to the (ISC)2 CISSP Detailed Content Outline effective April 15, 2024, with NIST SP 800-161 and SP 800-50.

▶ Watch next: CISSP Domain 3: Bell-LaPadula vs Biba (No More Mix-Ups) https://www.youtube.com/watch?v=F8NOU8v9kzs

📺 Full playlist: CISSP (2026) v2 https://www.youtube.com/playlist?list=PLlIAFxS2964_K3g6WysWnLpifoxilduGi