This document is focused on the security of the supply chain versus the business management aspects of the supply chain. This document takes a comprehensive view about what providers should do in order to be considered a Trusted Technology Provider that “builds with integrity”. This includes practices that providers incorporate in their own internal product lifecycle processes, that portion of product development that is “in-house” and over which they have more direct operational control. Additionally, it includes the provider’s supply chain security practices that need to be followed when incorporating third-party hardware or software components, or when depending on external manufacturing and delivery or supportive services.

The document makes a distinction between provider and supplier. Suppliers are those upstream vendors who supply components or solutions (software or hardware) to providers or integrators. Providers are those vendors who supply COTS ICT products directly to the downstream integrator or acquirer.

The guidelines, requirements, and recommendations included in this document should be widely adopted by providers and their suppliers regardless of size and will provide benefits throughout the industry.