Further Reading
Further reading should be curated, sourced, and version-aware where relevant. Use this page to organize public guidance, standards, and specifications that support the handbook's mappings.
Source Discipline
- Cite public guidance, standards, or specifications when making factual claims about them.
- Distinguish direct quotation, paraphrase, and interpretation.
- Do not imply endorsement by a standards body unless formally confirmed.
- Label interpretive mappings as guidance.
- Avoid saying a standard requires something unless the source clearly says so.
- Prefer "may support", "can be used for", "is commonly associated with", or "is relevant to" where the relationship is advisory.
- Include publication date or version where relevant.
- Keep further reading curated, not exhaustive.
Governance, Risk, And Supply-Chain Guidance
| Source | Use it for | Version or date note |
|---|---|---|
| NIST Cybersecurity Framework 2.0 | Governance, risk, and supply-chain-risk framing | CSF 2.0 |
| NIST SP 1305: CSF 2.0 Quick-Start Guide for C-SCRM | Using CSF 2.0 to establish and communicate C-SCRM requirements | Published 2024-10-21 |
| NIST SP 800-161r1-upd1 | Cybersecurity supply-chain-risk management practices | Updated 2024 |
| NIST SP 800-218 SSDF v1.1 | Secure software development and supplier communication for software security | Final, 2022-02-03 |
| ISO/IEC 27036-3:2023 | Supplier relationship and hardware/software/services supply-chain security guidance | Edition 2, published 2023-06 |
| ENISA Good Practices for Supply Chain Cybersecurity | EU supply-chain cybersecurity practices and NIS2-related context | Cite publication page/date when used |
| ENISA Threat Landscape for Supply Chain Attacks | Attack/failure mode context and threat examples | Cite publication page/date when used |
| UK NCSC Supply Chain Security Guidance | Supplier assurance, supply-chain principles, and assessment practices | Use page version/review date where available |
| CISA SBOM topic page | SBOM policy, adoption, and operationalization context | Use page and resource dates where available |
| CISA 2025 Minimum Elements for SBOM | SBOM minimum elements and software transparency expectations | Draft guidance, published 2025-08-22 |
Evidence Models And Attestation
| Source | Use it for | Version or date note |
|---|---|---|
| IETF RATS Working Group | Remote attestation architecture and evidence model context | Cite exact RFC or Internet-Draft |
| Entity Attestation Token RFC information | EAT media types and links to EAT-related RFCs | RFC 9782; also cite EAT RFC used |
| IETF CoRIM Internet-Draft | CoRIM/CoMID reference values and endorsements | Draft status; cite revision number |
| TCG Platform Certificate Profile 2.1 | Platform identity and composition claims | Version 2.1 |
| TCG DICE Certificate Profiles v1.1 | DICE certificate profiles and identity/attestation certificates | Version 1.1, 2025-04-24 |
| TCG DICE Attestation Architecture v1.2 | DICE attestation architecture and certificate extensions | Version 1.2 |
Transparency Artifacts
| Source | Use it for | Version or date note |
|---|---|---|
| SPDX | SPDX SBOM and systems/package data exchange references | SPDX is identified by the project as ISO/IEC 5962:2021; cite artifact version used |
| CycloneDX | CycloneDX BOM capabilities, including SBOM, HBOM, CBOM, VEX, and other BOM types | Cite exact CycloneDX version used |
| ECMA-424 CycloneDX specification | Formal CycloneDX Bill of Materials specification | Cite edition/version used |
Trust Anchors, Device Security, And Protocols
| Source | Use it for | Version or date note |
|---|---|---|
| DMTF SPDM standards page | SPDM overview and links to related specifications | Cite exact DSP version used |
| DMTF DSP0274 SPDM 1.4.0 | Security Protocol and Data Model messages, data objects, and sequences | Version 1.4.0, 2025-05-15 document date |
| GlobalPlatform specification library | GlobalPlatform TEE, Secure Element, and related specifications | Cite exact document ID and version |
| GlobalPlatform TEE System Architecture v1.3 | TEE architecture context | GPD_SPE_009, published 2022-05 |
| GlobalPlatform TEE Secure Element API v1.1.2 | TEE to Secure Element API context | GPD_SPE_024, published 2021-02 |
| OCP S.A.F.E. program | Hardware and firmware security appraisal context | Cite current program page and repository references |
| OCP S.A.F.E. GitHub repository | OCP S.A.F.E. framework, reports, and process documents | Cite commit, file, or release where appropriate |
| Caliptra project documentation | Open silicon root-of-trust project context | Cite exact project documentation or specification referenced |
Relationship To Existing Guidance
This handbook should acknowledge that extensive supply-chain-security guidance already exists. Its role is to bridge needs, guidance, evidence, lifecycle assurance, and technology mappings.