Skip to main content

Choosing Supply Chain Security Technology Options

Technology choices should start from the assurance decision, not from the acronym. A mechanism is useful when it helps operate a control, produce or protect evidence, exchange that evidence with the right party, or verify that the evidence is still meaningful.

This page helps teams decide which option areas are relevant without turning any single technology into a blanket requirement.

Start with the assurance need

Assurance needUseful option areasEvidence or workflow supported
Identify a device, product, component, platform, or supplier-provided serviceTrust Anchors and Device Identity, Signing, Keys, and CredentialsDevice identity, platform identity, certificate chains, key lifecycle records, credential issuance records
Show what software, firmware, component, dependency, or vulnerability information is presentSBOM, VEX, and Component VisibilitySBOM/xBOM records, component inventories, vulnerability status records, dependency metadata
Compare measured or reported state against expected stateAttestation and Measured State, Evidence Exchange and Verifier WorkflowsMeasurements, reference values, attestation evidence, verifier appraisal results
Protect release, update, recovery, or evidence artifacts from unauthorized changeSigning, Keys, and Credentials, Secure Update and Recovery MechanismsSigned releases, update authorization records, recovery artifacts, key-use logs
Exchange evidence between suppliers, product teams, operators, assessors, and customersEvidence Exchange and Verifier WorkflowsEvidence requests, attestation exchange, SBOM distribution, verifier policies, APIs
Retain evidence for acceptance, audit, renewal, vulnerability response, or incident reviewEvidence Repositories, Logs, and RetentionEvidence packages, repository metadata, verifier logs, access records, retention records

Selection questions

What decision will the option support?

Name the decision first: supplier selection, product acceptance, release approval, update eligibility, vulnerability response, audit readiness, transfer, repair return-to-service, or decommissioning. If the decision is unclear, the technology choice will be hard to justify.

What evidence is needed?

Identify whether the decision needs identity evidence, composition evidence, measured-state evidence, signed artifacts, vulnerability status, lifecycle-state records, verifier results, or retained audit material. Then choose options that support that evidence type.

Who needs to verify it?

Evidence may be verified by an internal product team, procurement team, operator, customer, auditor, assessor, automated verifier, or relying-party service. The recipient affects format, transport, trust anchor, retention, and explanation requirements.

What has to exist around it?

Most options need supporting practices: key governance, supplier obligations, release controls, reference-value management, repository access controls, verifier policies, exception handling, and evidence retention. A mechanism without the surrounding practice is usually weak assurance.

Also distinguish the named option from the concrete implementation. Many options in this section are standards, protocols, architectures, formats, or product categories rather than single products. A TPM, DICE design, SPDM endpoint, SBOM format, TEE, secure element, or verifier workflow still needs an implementation scope, version, supplier, configuration, provisioning model, and evidence path before it can support an assurance decision.

Vendor, product, and tooling examples in these pages are illustrative, not endorsements or complete market surveys. Use them to understand the kind of implementation evidence to request.

What does it not prove?

Record the limits explicitly. An SBOM does not prove components are safe. A signature does not prove content is acceptable. Attestation does not prove provenance without expected-state baselines. A repository does not make evidence trustworthy unless origin, integrity, access, and interpretation are preserved.

If the answer is "we do not know", record that as a limit rather than treating the technology as assurance.

Selection pattern

Use this pattern when choosing or documenting a technology option:

StepQuestion
Practice/control needWhich practice or control is this supporting?
Evidence needWhat record, claim, artifact, measurement, log, or appraisal result is needed?
Technology optionWhich mechanism, format, protocol, repository, tooling category, or workflow may help?
DependenciesWhat keys, trust anchors, policies, baselines, repositories, tools, or roles must exist?
VerificationWho verifies the evidence, against what policy, and how often?
LimitsWhat would remain unproven or require manual review?
RetentionHow long must the evidence remain available, explainable, and bound to the product or lifecycle state?

Supplier and implementer questions

Questions to ask suppliers

  • Which technology option are you using, and what assurance decision does it support?
  • What evidence does it produce, protect, exchange, verify, or retain?
  • What product, component, platform, service, release, or lifecycle state is the evidence bound to?
  • What version, profile, implementation scope, or certification claim is relevant?
  • What does this option not prove without additional controls or evidence?

Questions to ask internally

  • Are we treating this as a requirement, evidence format, implementation option, verifier workflow, repository pattern, or contextual reference?
  • What mapping confidence applies: direct, supporting, contextual, adjacent, or gap?
  • Who is responsible for verifier policy, exception handling, retention, and refresh?

Questions to ask assessors or auditors

  • Is the source, version, mapping rationale, and implementation scope visible enough to review?
  • Are advisory mappings clearly labeled as guidance?
  • Are endorsement, compliance, and certification claims avoided unless directly supported?