What it shows:
A supply-chain map tracking how raw software binaries move from the external vendor into the secure environment. It details the staging areas (e.g., Container Registries, MSI Packaging) and the specific automation tools (e.g., SCCM, Ansible) used to push the software to its final target infrastructure.
Why it’s needed:
Secure supply chain and deployment consistency. This proves to the InfoSec and Operations teams that the installation process is repeatable, automated, and tamper-proof. It visually assures them that engineers are not manually copying unverified files onto production servers. It shows which deployment tools should be configured before the software can be rolled out.
When to use it:
Highly recommended for SADs and HLDs when deploying software into isolated, zero-trust, or highly restricted networks, rolling out rich-client applications to enterprise desktops, or utilizing Infrastructure-as-Code (IaC) and CI/CD pipelines to build server clusters.
When NOT to use it:
Generally best to omit for true Software-as-a-Service (SaaS) deployments where the vendor hosts everything and distribution consists solely of opening a web browser. It can also be skipped for tiny, isolated “sandbox” installations where software is manually installed once and never scaled.
Example:
