The linked article, leading back to the actual original work cited, is a good example of the challenges of supply chain risk management (SCRM) in the cyber world. As background, I worked on the original, nascent US Defense Department SCRM program when it was still classified as Comprehensive National Cybersecurity Initiative #11. At that time we made the observation, and tried to spread it widely, that in the traditional logistics community supply chain risk is all about risks TO the supply chain, such as damage, theft, delivery delays, transportation issues, intermediate warehouse problems, etc. Markedly different is supply chain risk in the cyber world, where we are concerned with risks THROUGH the supply chain. For our world, the focus is on the reality that the supply chain can become a very effective attack vector against most any operational activity.
The article John linked to, without listing any of the 'important questions" he alluded to, is a good start on becoming aware of how cyber SCRM has become so complex in the past decade.