Programming Note: I had my honeymoon for most of September and spent a lot of October and early November moving, which limited my writing time. We’re now resuming our usually scheduled cadence of posts every 2-ish weeks.
Organizations, especially your customers, sometimes feel the need to assess the security of their vendors. Often this is a requirement of their compliance frameworks, though sometimes it's a genuine desire to reduce vendor risk. This typically involves:
Have calls with you to discuss any issues they perceived in your responses, or just to get all the answers in a call because why be efficient about time usage?
Some companies do intense, in-depth self-audits of critical vendors, but that's probably not you, so it's not worth going into right now.
This has a lot of problems, has made a lot of people very angry, and is widely regarded as a bad move. There is plenty of nihilism in the vendor security space. The smart people at Latacora have written about this before. I'm sure some of us have seen the various posts that Daniel Miessler has written, arguing that you can't really evaluate the potential for compromise from a vendor, so you should assume they're all compromised, barely bother evaluating them, and try to reduce the blast radius.