Supply Chain Security Curated References
Curated references should be sourced, version-aware, and deliberately non-exhaustive. Use this page to find public guidance, standards, and specifications that support the handbook's mappings.
This page is not a live standards catalog. Keep it stable, useful, and maintainable.
Source discipline
- Cite public guidance, standards, or specifications when making factual claims about them.
- Distinguish direct quotation, paraphrase, and interpretation.
- Do not imply endorsement by a standards body unless formally confirmed.
- Label interpretive mappings as guidance.
- Avoid saying a standard requires something unless the source clearly says so.
- Prefer "may support", "can be used for", "is commonly associated with", or "is relevant to" where the relationship is advisory.
- Include publication date or version where relevant.
- Keep references curated, not exhaustive.
Governance, risk, and supply-chain guidance
| Source | Use it for | Version or date note |
|---|---|---|
| NIST Cybersecurity Framework 2.0 | Governance, risk, and supply-chain-risk framing | CSF 2.0 |
| NIST SP 1305: CSF 2.0 Quick-Start Guide for C-SCRM | Using CSF 2.0 to establish and communicate C-SCRM requirements | Published 2024-10-21 |
| NIST SP 800-161r1-upd1 | Cybersecurity supply-chain-risk management practices | Updated 2024 |
| NIST SP 800-218 SSDF v1.1 | Secure software development and supplier communication for software security | Final, 2022-02-03 |
| ISO/IEC 27036-3:2023 | Supplier relationship and hardware/software/services supply-chain security guidance | Edition 2, published 2023-06 |
| ENISA Good Practices for Supply Chain Cybersecurity | EU supply-chain cybersecurity practices and NIS2-related context | Cite publication page/date when used |
| ENISA Threat Landscape for Supply Chain Attacks | Attack/failure mode context and threat examples | Cite publication page/date when used |
| UK NCSC Supply Chain Security Guidance | Supplier assurance, supply-chain principles, and assessment practices | Use page version/review date where available |
| CISA SBOM topic page | SBOM policy, adoption, and operationalization context | Use page and resource dates where available |
| CISA 2025 Minimum Elements for SBOM | SBOM minimum elements and software transparency expectations | Draft guidance, published 2025-08-22 |
Evidence structures and attestation
| Source | Use it for | Version or date note |
|---|---|---|
| IETF RATS Working Group | Remote attestation architecture and evidence model context | Cite exact RFC or Internet-Draft |
| Entity Attestation Token RFC information | EAT media types and links to EAT-related RFCs | RFC 9782; also cite EAT RFC used |
| IETF CoRIM Internet-Draft | CoRIM/CoMID reference values and endorsements | Draft status; cite revision number |
| TCG Platform Certificate Profile 2.1 | Platform identity and composition claims | Version 2.1 |
| TCG DICE Certificate Profiles v1.1 | DICE certificate profiles and identity/attestation certificates | Version 1.1, 2025-04-24 |
| TCG DICE Attestation Architecture v1.2 | DICE attestation architecture and certificate extensions | Version 1.2 |
| TCG Block Integrated Trust | Lightweight hardware root-of-trust capabilities for constrained device identity, measurement storage, and measurement reporting | Cite the public page and the exact BIT specification, profile, or implementation scope used |
Transparency artifacts
| Source | Use it for | Version or date note |
|---|---|---|
| SPDX | SPDX SBOM and systems/package data exchange references | SPDX is identified by the project as ISO/IEC 5962:2021; cite artifact version used |
| CycloneDX | CycloneDX BOM capabilities, including SBOM, HBOM, CBOM, VEX, and other BOM types | Cite exact CycloneDX version used |
| ECMA-424 CycloneDX specification | Formal CycloneDX Bill of Materials specification | Cite edition/version used |
Trust anchors, device security, and protocols
| Source | Use it for | Version or date note |
|---|---|---|
| DMTF SPDM standards page | SPDM overview and links to related specifications | Cite exact DSP version used |
| DMTF DSP0274 SPDM 1.4.0 | Security Protocol and Data Model messages, data objects, and sequences | Version 1.4.0, 2025-05-15 document date |
| Draft ETSI EN 304 623 V0.1.3 | CRA boot-manager security requirements, including boot trust, update, rollback, debug, and evidence considerations | Interim draft, 2026-06; cite final published text if it changes |
| GlobalPlatform specification library | GlobalPlatform TEE, Secure Element, and related specifications | Cite exact document ID and version |
| GlobalPlatform TEE System Architecture v1.3 | TEE architecture context | GPD_SPE_009, published 2022-05 |
| GlobalPlatform TEE Secure Element API v1.1.2 | TEE to Secure Element API context | GPD_SPE_024, published 2021-02 |
| OCP S.A.F.E. program | Hardware and firmware security appraisal context | Cite current program page and repository references |
| OCP S.A.F.E. GitHub repository | OCP S.A.F.E. framework, reports, and process documents | Cite commit, file, or release where appropriate |
| Caliptra project documentation | Open silicon root-of-trust project context | Cite exact project documentation or specification referenced |
Relationship to existing guidance
This handbook should acknowledge that extensive supply chain security guidance already exists. Its role is to bridge standards and threats, practices and controls, evidence expectations, lifecycle assurance, and technology options.
Use Standards and Regulations for how governance references shape requirements, Glossary for terminology, and Technology Options for implementation mechanisms.