Skip to main content

Supply Chain Security Worked Examples

Worked examples show the handbook's evidence model in action. They are fictional, realistic scenarios that demonstrate how to move from a claim to reviewable evidence.

Use these examples when a checklist or template is too abstract and you need to see what good evidence might look like for a supplier, product, update, vulnerability, component, or assurance response.

Example scenarios

ExampleUse it to see...
Supplier Onboarding Evidence PackageWhat a good supplier response can look like before contract award
Product Acceptance PackageWhat a buyer should review before accepting a connected product
Secure Update ApprovalHow signing, release governance, rollback, recovery, vulnerability handling, and customer notification fit together
Vulnerability Response EvidenceWhat "we fixed it" should include beyond a statement
Component Provenance ExampleHow to move from a component list to usable assurance evidence
Weak vs Strong Supplier AnswersSide-by-side examples of vague claims and reviewable evidence

Evidence model used in examples

Each scenario follows the same pattern:

threat/failure mode -> decision -> control -> evidence -> verification -> gaps -> retention

Good evidence is not just a document. It should show:

  • what decision it supports;
  • which product, supplier, component, release, service, or lifecycle stage it applies to;
  • who produced it and who owns it;
  • how origin, integrity, freshness, scope, or consistency can be checked;
  • what gaps, exceptions, or risk acceptances remain;
  • how long the evidence must remain available and useful.

The examples also label weak, better, and stronger answers using the Evidence Maturity Model, so readers can see the difference between assertion, documented process, produced artifact, verifiable artifact, and lifecycle-retained evidence.

How to use these examples

Use the examples alongside: