Supply Chain Security Worked Examples
Worked examples show the handbook's evidence model in action. They are fictional, realistic scenarios that demonstrate how to move from a claim to reviewable evidence.
Use these examples when a checklist or template is too abstract and you need to see what good evidence might look like for a supplier, product, update, vulnerability, component, or assurance response.
Example scenarios
| Example | Use it to see... |
|---|---|
| Supplier Onboarding Evidence Package | What a good supplier response can look like before contract award |
| Product Acceptance Package | What a buyer should review before accepting a connected product |
| Secure Update Approval | How signing, release governance, rollback, recovery, vulnerability handling, and customer notification fit together |
| Vulnerability Response Evidence | What "we fixed it" should include beyond a statement |
| Component Provenance Example | How to move from a component list to usable assurance evidence |
| Weak vs Strong Supplier Answers | Side-by-side examples of vague claims and reviewable evidence |
Evidence model used in examples
Each scenario follows the same pattern:
threat/failure mode -> decision -> control -> evidence -> verification -> gaps -> retention
Good evidence is not just a document. It should show:
- what decision it supports;
- which product, supplier, component, release, service, or lifecycle stage it applies to;
- who produced it and who owns it;
- how origin, integrity, freshness, scope, or consistency can be checked;
- what gaps, exceptions, or risk acceptances remain;
- how long the evidence must remain available and useful.
The examples also label weak, better, and stronger answers using the Evidence Maturity Model, so readers can see the difference between assertion, documented process, produced artifact, verifiable artifact, and lifecycle-retained evidence.
How to use these examples
Use the examples alongside:
- Supplier Security Questions for request wording;
- Evidence Checklist for review criteria;
- Evidence Maturity Model for weak, better, stronger, and lifecycle-retained evidence;
- Evidence Package Template for packaging evidence for review;
- Technology Options for mechanisms that may help produce, protect, exchange, verify, or retain evidence.