Start Here: Supply Chain Security Reader Paths
Use these role paths when you know who you are in the supply chain security assurance workflow, but not yet which handbook pages to read first.
The role paths are a routing layer through the existing handbook. They do not replace the main structure:
Standards & Threats -> Practices & Controls -> Technology Options -> Resources
If you already know the task you need to complete, you can go directly to the main sections. If you are starting from your role, choose the closest path below.
Start by role
| Role | Use this path when... |
|---|---|
| Procurement and supplier assurance | You buy, qualify, contract with, renew, or review suppliers based on evidence. |
| Product security | You own product assurance across acceptance, release, vulnerability response, update, and lifecycle monitoring. |
| Supplier or manufacturer | You need to prepare evidence-backed answers for customers, buyers, auditors, or assessors. |
| Audit, compliance, and customer assurance | You need to prepare, review, or explain retained evidence for audit, customer assurance, certification support, or internal review. |
| Technical implementer | You need to implement technical mechanisms, tools, workflows, repositories, or integrations that support assurance decisions. |
| Standards, policy, and compliance mapping | You need to translate external drivers into practices, controls, evidence, technology options, and mapping confidence. |
Main handbook sections
- Standards & Threats explains the standards, regulations, assurance pressures, threats, and failure modes that create the need for action.
- Practices & Controls explains what should operate, what evidence should be produced, and how controls support decisions.
- Technology Options explains mechanisms that may help implement controls or generate, protect, exchange, verify, and retain evidence.
- Resources contains checklists, templates, maturity models, glossaries, workflows, and worked examples.
Common topic shortcuts
- Supplier and Procurement Assurance for supplier assurance, procurement risk, evidence requests, and supplier review.
- Product Acceptance for product trust, component provenance, vulnerability status, updates, supportability, and residual risk decisions.
- SBOM, VEX, and Component Visibility for SBOMs, VEX, xBOMs, component inventories, and vulnerability-status evidence.
- Evidence Checklist for testing whether supply chain security evidence is scoped, current, verifiable, retained, and tied to a decision.