Skip to main content

Evidence Checklist

Use this checklist to turn a supply-chain-security question into evidence requests and acceptance criteria.

Evidence areaQuestions to askAcceptance signal
IdentityWhat identity is being claimed, who issued it, and how is it bound to the device, component, platform, supplier, or service?Identity can be verified against an expected issuer, product, component, or trust anchor
ProvenanceWhat origin, custody, sourcing, manufacturing, logistics, repair, or transfer records exist?Chain gaps and custody changes are visible and explained
IntegrityWhat measurements, manifests, signatures, or attestation results show expected state?Current state can be compared to a trusted baseline or policy
TransparencyWhat SBOM, xBOM, firmware, hardware, or component artifacts are available?Artifacts are tied to product versions and updated after changes
UpdatesWhat records show updates were authorized, delivered, installed, and recoverable?Update state and rollback status can be confirmed
Vulnerability handlingWhat evidence shows known exposures are tracked, remediated, accepted, or mitigated?Vulnerability status is tied to products, versions, and remediation decisions
Lifecycle stateWhat records show whether an asset is active, repaired, transferred, revoked, retired, or decommissioned?Lifecycle status can be verified and is retained for later decisions
VerificationCan the recipient verify origin, integrity, freshness, consistency, and lifecycle relevance?Evidence has a clear verifier, trust anchor, policy, or audit path
RetentionHow long will the evidence remain available and useful?Retention, access, refresh, supersession, and revocation are defined

Checklist Use

  1. Start with the decision.
  2. Identify the lifecycle stage.
  3. Name the failure mode.
  4. Select the relevant evidence area.
  5. Request artifacts and verification paths.
  6. Record weak, better, and stronger answers.
  7. Decide whether evidence must be retained or refreshed.