CISA HBOM Framework
Understand the federal standard for hardware bill of materials.
Why Device Provenance Matters
Dealing with challenges such as IP Theft, Export Violations, and overproduction make supply chain security a global challenge. Device provenance is a foundation of trust in hardware. With AMD, you gain cryptographically verifiable traceability information from design hand-off to finished silicon. The device provenance solution is built on the following three pillars.
Traceability
Access device provenance metadata in industry-aligned Hardware Bill of Materials (HBOM) format for easier compliance and reporting.
Authenticity & Integrity
Cryptographic signatures protect our design files and HBOMs, helping ensure data cannot be forged or altered in transit.
Auditability
Speed up root cause analysis of supply chain issues and enable third-party audits.
Provenance Services
HBOM Retrieval
Get a CISA-compliant Hardware Bill of Materials (HBOM), cryptographically signed by AMD for your device. Streamline compliance, reduce reporting time, and maintain confidence in your hardware.
HBOM Endorsement
Validate the authenticity and integrity of your HBOM with AMD Endorsed Provenance Data. Confirm integrity, simplify regulatory checks, and strengthen supply chain trust.
Resources
FAQs
What is the AMD Device Provenance Service and what does it do?
The service enables customers to retrieve device-specific provenance information as a digitally signed Hardware Bill of Materials (HBOM) and later verify that this provenance information was issued by AMD and has not been altered.
What is the difference between HBOM Retrieval and HBOM Endorsement?
HBOM Retrieval returns an AMD signed HBOM for a given device identifier, while HBOM Endorsement checks a provided HBOM against AMD records and signatures to confirm the provenance information’s authenticity and integrity.
What format are HBOMs provided in and which standards does the service align to?
HBOMs are delivered using the SPDX 3.1 Draft hardware profile and align with the CISA HBOM framework, and they are cryptographically signed under AMD managed PKI to support verifiable provenance.
How do I access the service and which identifiers can I use?
You can scan a product barcode or enter a device unique identifier via a web or mobile interface, and an API is available for integration; accepted identifiers typically include serial numbers such as Public Serial Number (PSN) or Processor Product Identification Number (PPIN).
Which products are covered and what level of detail should I expect?
Initial coverage focuses on AMD silicon components with planned expansion to subsystems and reference solutions, and includes information such as lot, wafer, and other die and package level fields such as die XY wafer location, Fab location, etc.