Integrity and Transparency for Trustworthy Supply Chain
supply chain information landscape are shifting in ways that may allow for essential insights to be gained without coercive governmental action.
3 OPPORTUNITIES FOR INSIGHTFUL DATA
While private sector companies have for many years honed supply chain risk management data analysis to optimize operations and process, as described above, there are new efforts emerging to collect the types of data needed for understanding and decisions regarding supply chain sourcing, security, quality, and resilience. These new types of data collection are primarily focused on characterizing details about products, claims, and provenance relevant to product supply chains. Product-related data can include physical or functional characteristics but also may include details of product composition, product claims, and product pedigree and provenance.
Claims data may consist of statements associated with an item including its characteristics, capabilities, status, or conformance against a standard, regulation, or criteria. Such claims are typically associated with a product but may also apply to other supply chain relevant entities including organizations, people, processes, facilities, etc. Provenance data includes details of how a product, or some other supply chain relevant entity, achieved its current state. It could include operations( i. e. actions or events) that occurred, flows( e. g. material, information, or money), products, organizations, locations, infrastructure, etc.
With these conceptual components, provenance data can be harvested for various levels of supply chain detail including single node, single supply sub-chain, single chain, multi-chain, industry-wide, etc. There is a need for, and existence of, ongoing efforts at various levels of maturity, such as those mentioned below, to define standards for all these new types of data [ 5, 6, 7, 8 ].
At present, most of these new efforts( both new data standards and new data sharing) are currently dis-jointed and tactically focused, aimed at single products, supply chain links, supply chains, classes of item, types of data, industry, and geography. Most of these new standards efforts are focused on characterizing individual supply chain links, supply chains, or sub-chains to enable one individual party to share with another the data necessary to support localized understanding and decision making by the product consumer.
From a national security perspective, a different lens is required. There is, for example, an emerging need for transparency in software and hardware supply chains. This has spawned rapid evolution of standards for Bills of Material( BOMs) and related information, as shown in Figure 3-1, with a particularly active focus on software bills of materials( SBOMs).
Over the last few years, the work in the Linux Foundation and Open Web Application Security Project( OWASP) on the System Package Data Exchange( SPDX) [ 7 ] and CycloneDX [ 8 ] standards, respectively, has dramatically evolved both sets of work. They now address today’ s interest in BOMs for software, hardware, systems, AI models, and datasets as well as claims about the
62 May 2025