Glossary
This glossary defines terms used across the handbook. It is intentionally practical rather than standards-body-specific.
| Term | Working definition |
|---|---|
| Assurance | Confidence that a supply-chain-security practice or control is operating as intended. |
| Assertion | A statement that a control exists or an action happened, without independently verifiable evidence. |
| Artifact | A record, manifest, certificate, measurement, attestation, log, report, or other object that can support an assurance decision. |
| Attestation | A claim, often signed and based on measurements or protected state, about properties or current state of a device, component, platform, or service. |
| Chain of custody | Records showing how an item moved through suppliers, logistics, integrators, repairers, owners, or operators. |
| Component transparency | Visibility into software, firmware, hardware, or other components present in a product or platform. |
| Evidence | Any artifact, record, claim, measurement, certificate, attestation, manifest, log, or report that can help decide whether a practice is operating. |
| Hardware-rooted identity | Identity evidence bound to hardware or a protected trust anchor rather than only to a process or document. |
| Lifecycle assurance | Assurance that is retained and updated across product lifecycle stages rather than checked only once. |
| Lifecycle-state evidence | Evidence showing whether an asset is active, deployed, repaired, transferred, revoked, retired, or decommissioned. |
| Platform Certificate | A certificate or related artifact that can help describe platform identity and composition in some architectures. |
| Provenance | Information about origin, ownership, custody, manufacturing, sourcing, or transfer history. |
| Reference integrity measurement | Expected measurement or reference value used to compare current or reported state. |
| SBOM | Software Bill of Materials, a transparency artifact describing software components and dependencies. |
| Trust anchor | A root of trust, key, credential, hardware component, or controlled environment that other verification decisions rely on. |
| Verifiable artifact | Evidence whose origin, integrity, freshness, consistency, or product binding can be checked. |
| xBOM | A broader bill-of-materials concept that may cover software, firmware, hardware, cryptographic assets, services, or other component types. |