Knogin
[Developers]

Defence Supplier Registry and Qualification Management

The Defence Supplier Registry gives prime contractors, defence ministries, and procurement authorities a single authoritative record of every qualified supplier, gated behind the EU_RESTRICTED classification boundary and

Back to All Modules
Category: ModulesLast Updated: Jun 1, 2026
modulesgeospatial

Overview#

The Defence Supplier Registry gives prime contractors, defence ministries, and procurement authorities a single authoritative record of every qualified supplier, gated behind the EU_RESTRICTED classification boundary and protected by a tamper-evident audit chain.

Defence programmes live or die on supplier assurance. A programme manager has to know, at any moment, which suppliers carry valid aerospace and defence certifications, which hold the right industry identifiers, which sit at which tier of a specific programme, and which have been disqualified or are at risk of losing their accreditation. This module holds all of that in one classification-controlled registry. Each supplier record carries its NATO CAGE code, D-U-N-S number, and NATO supplier code alongside live certification status, European Defence Industry Programme eligibility, and EU or NATO member flags. Every read and write enforces a minimum clearance level and records a before and after fingerprint, so the registry doubles as the evidence base for defence audit.

Because the registry is multi-tenant and programme-aware, a ministry can run several programmes from one platform while keeping each supplier roster isolated and each qualification decision attributable. Removals are never destructive: a supplier is soft-disqualified with a mandatory reason rather than deleted, preserving the chain of custody that defence audit frameworks demand.

Last Reviewed: 2026-06-01 Last Updated: 2026-06-02

Key Features#

  • Classification-Gated Access: Every read and write requires a minimum EU_RESTRICTED clearance. A caller whose record lacks sufficient clearance is denied rather than served, so registry contents never cross the programme security boundary.
  • Industry-Recognised Identifiers: Each supplier carries its NATO CAGE code, its D-U-N-S business entity number, and its NATO supplier code, giving programmes a consistent way to reconcile suppliers against external registers and prime contractor systems.
  • Aerospace and Defence Certification Tracking: Records hold accreditation against AS9100D, NADCAP, AQAP 2110, and ISO/IEC 27001, with active certifications evaluated against their expiry dates so lapses surface before they become programme risks.
  • Tier Graph Relationships: Prime and subcontractor relationships are modelled as buyer and seller edges with explicit tier levels, so a programme manager can see exactly where each supplier sits in the supply chain for a given programme.
  • Status Facets: Each supplier resolves to a live status of VERIFIED, ISSUE, or NOT_JOINED, derived from disqualification state, open corrective actions, and certifications nearing or past expiry, giving a single at-a-glance health indicator.
  • Eligibility and Membership Markers: European Defence Industry Programme eligibility, EU member status, and NATO member status are stored per supplier so eligibility questions can be answered without manual lookups.
  • Disqualify and Requalify Lifecycle: A dedicated lifecycle flips a supplier between qualified and disqualified, always with a mandatory non-empty reason, capturing the rationale behind every qualification decision.
  • Tamper-Evident Audit Chain: Every state change emits a SHA-256 fingerprint of the record before and after, forwarded to a security information and event monitoring pipeline, so the full history of a supplier is reconstructable and verifiable.

Use Cases#

Defence Prime Contractors#

A prime managing a multi-tier aerospace programme uses the registry to confirm that every subcontractor on a critical path holds a current AS9100D or NADCAP accreditation, sits at the expected tier, and is not disqualified. The tier graph and status facets remove the spreadsheet reconciliation that normally precedes a programme milestone review.

Defence Ministries and Government Procurement Authorities#

A ministry maintains a single authoritative roster of approved suppliers across several programmes, each isolated by tenant. Procurement officers filter by country, by European Defence Industry Programme eligibility, and by EU or NATO membership to assemble compliant supplier shortlists, with each inclusion or exclusion recorded in the audit chain.

Programme Security Officers#

A security officer relies on the EU_RESTRICTED gate to ensure that supplier rosters, qualification rationales, and certification details are only ever surfaced to cleared personnel, and on the before and after fingerprints to demonstrate to auditors that no record has been altered outside the controlled lifecycle.

Supplier Assurance and Quality Teams#

Quality teams track certifications against their expiry dates and open corrective actions, using the ISSUE status facet to triage suppliers whose accreditation is lapsing or who have unresolved corrective work, well ahead of any contractual deadline.

Integration#

Customers connect the registry through the platform's governed REST and GraphQL endpoints, secured with OAuth2 and JWT-based authentication and scoped per tenant. Supplier records, tier edges, certificates, and corrective actions are exposed as normalised entities, so a prime's own programme management system or a ministry's procurement suite reads and writes against a consistent model rather than a bespoke schema.

Read operations cover single-supplier lookup and filtered roster listing by programme, country, tier, disqualification state, and status facet. Write operations cover full create and partial update, plus the dedicated disqualify and requalify lifecycle. The tier graph, certificate roster, and corrective-action history are each reachable from a supplier so client systems can assemble a complete assurance view in a single round of calls. Webhooks and event subscriptions let downstream systems react when a supplier's qualification state changes, so a prime's planning tools stay aligned without polling.

Because identifiers follow industry registers and certifications follow named accreditation standards, the registry slots into existing defence supply chain tooling with minimal mapping. The benefit to the customer is a registry that speaks the same identifier and certification language their auditors, primes, and regulators already use, while keeping every record inside the EU_RESTRICTED boundary and the tamper-evident audit chain.

Open Standards#

  • AS9100D: the IAQG aerospace quality management system standard for design, development, and production, tracked as a held certification per supplier.
  • NADCAP: the Performance Review Institute special-process accreditation programme for aerospace and defence, recorded against suppliers as a current certification.
  • AQAP 2110: the NATO Allied Quality Assurance Publication for quality management of design, development, and production, stored as a supplier certification standard.
  • ISO/IEC 27001: the information security management system standard, available as a recognised certification on the supplier record.
  • NATO CAGE code: the Commercial and Government Entity code from the NATO STANAG and MIL-HDBK-61B namespace, held as a primary supplier identifier.
  • D-U-N-S number: the ISO 6523 registered nine-digit business entity identifier issued by Dun and Bradstreet, stored per supplier for external reconciliation.
  • NATO supplier code: the NATO-assigned supplier identifier, retained alongside CAGE and D-U-N-S for cross-register matching.
  • EDIP: the European Defence Industry Programme defined under EU Regulation 2024/1252, captured as an eligibility flag on each supplier.
  • EU_RESTRICTED: the information classification level defined under EU Council Decision 2013/488/EU within the EUCI framework, enforced as the minimum access level for every registry operation.
  • ISO 8601: creation, update, and certification expiry timestamps use a standard date-time representation.

Security and Compliance#

Access control is fail-closed: a caller must belong to a tenant and hold at least EU_RESTRICTED clearance, and a record missing the clearance field is denied rather than defaulted upward. Tenant isolation ensures one organisation can never read or alter another's supplier roster.

Every successful create, update, disqualification, requalification, and soft removal is recorded with the actor, the tenant, the classification context, and SHA-256 fingerprints of the record before and after the change, forwarded to a security information and event monitoring pipeline for tamper-evident, verifiable history. Disqualification always requires a non-empty reason, so every qualification decision is attributable.

Hard deletes are not exposed. A removal is always a soft disqualification, preserving the references that tier edges, certificates, corrective actions, and the audit chain depend on, and meeting the chain-of-custody expectations of defence audit frameworks.

Ready to Build?

Get started with our APIs or contact our integration team for support.