Collect and disclose information provided by local exporters to purchasers., CC ID: 08889
Review documentation that justifies the sourcing and chain of custody., CC ID: 08899
Employ digital information sharing systems to assess supply chain due diligence., CC ID: 08918
Receive and follow up on supply chain grievances., CC ID: 08901
Establish, implement, and maintain supply chain onsite investigation procedures., CC ID: 08919
Establish, implement, and maintain a community-monitoring network to provide information about the supply chain., CC ID: 08922
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The organization should establish a chain of custody or traceability system over the mineral supply chain. (Annex I ¶ 1(C), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should have a chain of custody or traceability system that generates the mine the mineral originated from on a disaggregated basis for minerals from a "red flag location of mineral origin and transit". (Supplement on Tin, Tantalum, and Tungsten Step 1: C.4(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should have a chain of custody or traceability system that generates the quantity and dates of extraction on a disaggregated basis for minerals from a "red flag location of mineral origin and transit". (Supplement on Tin, Tantalum, and Tungsten Step 1: C.4(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should have a chain of custody or traceability system that generates where the minerals are consolidated, processed, or traded on a disaggregated basis for minerals from a "red flag location of mineral origin and transit". (Supplement on Tin, Tantalum, and Tungsten Step 1: C.4(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should have a chain of custody or traceability system that generates all taxes, fees, royalties, and other payments to governmental officials for extracting, trading, transporting, and exporting minerals on a disaggregated basis for minerals from a "red flag location of mineral or… (Supplement on Tin, Tantalum, and Tungsten Step 1: C.4(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should have a chain of custody or traceability system that generates all taxes and other payments to public security forces or private security forces on a disaggregated basis for minerals from a "red flag location of mineral origin and transit". (Supplement on Tin, Tantalum, and Tungsten Step 1: C.4(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should have a chain of custody or traceability system that generates the names of all persons in the upstream supply chain on a disaggregated basis for minerals from a "red flag location of mineral origin and transit". (Supplement on Tin, Tantalum, and Tungsten Step 1: C.4(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should have a chain of custody or traceability system that generates the transportation routes on a disaggregated basis for minerals from a "red flag location of mineral origin and transit". (Supplement on Tin, Tantalum, and Tungsten Step 1: C.4(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should establish a chain of custody or traceability system that collects and maintains disaggregated information for all gold input and output from a red flagged supply chain. (Supplement on Gold Step 3: § I.B.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
The auditor should ensure traceability is established between the receiving smelter and the supplying smelter for all purchases. (§ A(I) Applicable to ¶ 2, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
Original manufacturers and distributors should be required to provide acquisition supply chain traceability and certificates of conformance. (App C § C.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
The manufacturer certification should include the manufacturer, distributor, distributor purchase order number, part number, quantity, and date code. (App C § C.2.2, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
The manufacturer certification must accompany parts shipped to the end user. (App C § C.2.2, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
Military parts bought through authorized distributors must include a certificate of conformance that shows the full supply chain traceability. (App C § C.2.2, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
The seller should able to provide full supply chain traceability for the purchased parts, to include the names and addresses of prior sources. (App D § D.1.1.a, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
Implementing C-SCRM requires enterprises to establish a coordinated team-based approach and a shared responsibility model to effectively manage cybersecurity risks throughout the supply chain. Enterprises should establish and adhere to C-SCRM-related policies, develop and follow processes (often cro… (2.3.1. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]). (PS.3.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
Tracks, documents, and disseminates to relevant supply ICT chain participants changes to the provenance; (PV-2c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
