ENHANCING TRANSPARENCY, REDUCING RISK

Build trusted, resilient supply chains and demonstrate the integrity of hardware and software products.

The Supply Chain Product Assurance Playbook is a proven and scalable process through which companies can assure hardware and software products and supply chains, build trust with customers, combat growing FOCI exposure, and proactively comply with emerging regulations related to product and supply chain security.

The Supply Chain Product Assurance Playbook enables risk identification, assessment, and remediation through enhanced sub-tier visibility, part and component level insights, and comprehensive supplier risk reporting and monitoring, equipping companies with the tools ensure and demonstrate product integrity, while facilitating rapid mitigation of identified risks.

Trusted Products

Create trusted relationships with customers through demonstrated proactive investment in risk identification and remediation in products integral to their operations.

Resilient Supply Chains

Rapidly respond to unexpected disruptions like geopolitical conflicts, natural disasters, or capacity shortfalls thanks to sub-tier visibility and item-level mapping.

Validated and Up-to-Date HBOMs and SBOMs

Generate or verify software bills of materials (SBOMs) through binary analysis, validate hardware bills of materials (HBOMs), continuously monitor suppliers, and store BOMs in a platform that permits real-time changes to product composition or supply base.

Pathway to Product Assurance

STEP 1

Product Transparency

Exiger receives SBOM, HBOM, and software binaries for target product(s). Companies provide an attestation specifying the accuracy and composition of the provided artifacts.

In the event that accurate SBOMs or HBOMs are not available, Exiger can generate SBOMs using binary files and can also ingest technical data packages (TDPs) and engineering drawings to develop HBOMs.

STEP 2

Sub-tier Supply Chain Illumination

Map the entire sub-tier supply chain from the finished product to the raw material inputs.

Exiger analyzes your HBOMs, TDPs, SBOMs, and binaries and leverages Natural Language Processing (NLP) and machine learning to parse more than 7 billion international bills of lading, customs records, and cyber relationships to map hardware and software product supply chains through multiple tiers of suppliers.

STEP 3

Supplier Risk Assessments

Identify, assess, and visualize holistic risk profiles for every supplier in 1Exiger’s interactive platform.

The 1Exiger platform queries over 31 million structured and unstructured data sets to generate, classify, and prioritize risk profiles for suppliers identified in Step 2. Each supplier receives a numerical score based on 4 categories of risk: foreign ownership, control, or influence (FOCI); reputational, criminal, and regulatory; financial; and operational.

STEP 4

Component and Part-Level Risk Reporting

Detail risks associated with specific parts and components.

Exiger analyzes hardware parts for counterfeit, single-source, end-of-life, and integrity risk. Software components are analyzed for bus factor, integration, and end-of-life risks, and any packages with CVEs or Known Exploited Vulnerabilities (KEVs) are flagged. Beyond leading indicator risk, Exiger conducts FOCI analysis on software components, tracing provenance to highlight potential obfuscation and identifying committers affiliated with high-risk jurisdictions or entities.

STEP 5

Mitigation Design and Implementation

Implement targeted mitigation strategies to strengthen your supply chain resilience.

Leveraging decades of cybersecurity and regulatory risk experience, experts from The Chertoff Group work with product owners to prioritize identified risks for targeted mitigation and then support the development and implementation of mitigation plans.

STEP 6

Communication and Collaboration

Build Trust and Assure Stakeholders with Transparent Risk Mitigation Updates.

Once mitigations are committed to or in place, the product owner, with support from The Chertoff Group, will socialize the action plan with decision-makers as a trust-building measure to communicate product assurance and alleviate customer concerns. Vulnerability Disclosure Reports for software help streamline outreach to customers. In some cases, communications may extend beyond the product to concerns about risks inherent to the product owner at the entity level.

WHO IS THE PLAYBOOK FOR?

The Comprehensive Assurance Solution for Government Contractors, Regulated Industries, and Global Enterprises

Compliance playbook for US Government Contractors

Demonstrate compliance to federal agencies and illuminate the true nature of FOCI connections for every tier of your product’s supply chain. Satisfy requirements for FOCI risks, Section 889, the TAA, the Department of Defense Supply Chain Risk Management Framework, the Department of Energy Supply Chain Cybersecurity Principles, Executive Orders 14028 (Compilation and Maintenance of SBOMs) and 14017 (Onshoring of Critical Product Manufacturing.

Product Assurance Playbook - Critical Infrastructure

Energy producers, telecommunications providers, and other critical infrastructure can illuminate every stage of their production and validate their own supply chain and products as well as the product pedigree and provenance of that of their vendors to ensure their supply chain is secure and compliant with applicable regulations including Department of Energy Supply Chain Cybersecurity Principles, Executive Orders 14028 (Compilation and Maintenance of SBOMs).

Product Assurance Playbook - ESG Compliance

The Exiger Supply Chain Product Assurance Playbook supports organizations in meeting Environmental, Social, and Governance (ESG) compliance by ensuring transparency and accountability across every level of their supply chains. It addresses critical EU regulations like the EU Deforestation Regulation (EUDR), Corporate Sustainability Due Diligence Directive (CSDDD), Digital Operational Resilience Act (DORA), and the EU Critical Raw Materials Act, among others. By mapping and monitoring sub-tier suppliers, the Playbook identifies risks associated with environmental impact, labor practices, and governance. This comprehensive visibility allows companies to proactively address potential ESG-related vulnerabilities and align with EU and global standards, ultimately building trust with regulators, investors, and stakeholders who prioritize sustainable, ethical business practices.

REPORTS

What Are the Outputs and Deliverables of the Playbook?

The Supply Chain Product Assurance Playbook is aligned to requirements in numerous U.S. Government regulations and directives, including the Department of Defense Supply Chain Risk Management Framework, the Department of Energy Supply Chain Cybersecurity Principles, Executive Orders 14028 (Compilation and Maintenance of SBOMs) and 14017 (Onshoring of Critical Product Manufacturing).

Additionally, the risk assessment and mitigation services described above enable compliance with various U.S. and European supply chain regulations, including the Uyghur Forced Labor Prevention Act, the German Supply Chain Act, the CHIPs Act, the European Critical Raw Materials Act, and the EU Cyber Resilience Act.

Frequently Asked questions

Can I participate in the Product Assurance Playbook if my data is Controlled Unclassified Information (CUI)?

The Supply Chain Product Assurance Playbook process is suitable for any industry, including energy, telecommunications, defense, healthcare, and the U.S. Government. Exiger’s Federal Cloud, a FedRAMP Moderate Authorized platform, ingests, aggregates, and analyzes bills of materials (BOMs) and parts data marked as Controlled Unclassified Information (CUI) so that companies delivering mission-critical hardware and software products can engage in the Playbook process with confidence.

What makes the Product Assurance Playbook unique compared to other solutions?

The Product Assurance Playbook is the only solution that provides a complete understanding of the entity and component/material level of both physical and software supply chains to illuminate risks that would go undetected by other solutions. The powerful context from a provides hyper relevance to cut through the noise and find true risk – even for scaled enterprises with large supply bases and datasets.

GET IN TOUCH

Ready to Fortify Your Supply Chain?

Exiger can help you build trusted, resilient supply chains and demonstrate the integrity of hardware and software products.

The Supply Chain Product Assurance Playbook leverages Exiger’s AI technology and The Chertoff Group’s cybersecurity and regulatory expertise to map, monitor, and mitigate supply chain risks, driving measurable risk reduction and building trust.