I think that's what the common reporting implies, but I'm not confident that it's true. My understanding is that a supply chain risk must specifically be involved in the supply chain, hence the name. It may be that the admin hypes up their powers for the purposes of instilling fear, but as evidenced by this very post, they can be wrong.