Knogin
[Developers]

Defence Supplier Certification Waiver Management

A defence supplier whose AS9100D certificate lapses three weeks before a critical delivery does not have to halt the programme, but neither can a single buyer quietly wave the gap through. The Defence Supplier Certificat

Back to All Modules
Category: Api DomainsLast Updated: Jun 1, 2026
api-domainsreal-timecomplianceblockchain

Overview#

A defence supplier whose AS9100D certificate lapses three weeks before a critical delivery does not have to halt the programme, but neither can a single buyer quietly wave the gap through. The Defence Supplier Certification Waiver Management capability gives prime contractors and procurement agencies a lifecycle-managed way to grant a time-bounded exemption from a named compliance requirement, while guaranteeing that no one person can both request and approve that exemption.

Every waiver is scoped to exactly one thing: a defence supplier identified by its CAGE code or NATO supplier code, a defence programme with its own origin thresholds, or a single quality certificate such as AS9100D, NADCAP, AQAP-2110 or ISO/IEC 27001. The exemption carries a mandatory justification, a mandatory future expiry, and a full record of who asked and who decided. Because waivers sit inside the same defence supply-chain data model that tracks supplier qualification, certificate expiry and origin compliance, an approved exception is never an orphaned spreadsheet entry; it is an auditable part of the approved-supplier-list lifecycle.

The result is a control that satisfies AQAP-2110 and NATO quality assurance audit expectations: separation of duties is enforced, the reason for every decision is captured, and the entire chain of state changes is tamper-evident.

Key Features#

  • Single-scope exemptions: Each waiver targets exactly one of a supplier, a programme or a quality certificate. The exclusive-scope rule is enforced in the data model and again as a database constraint, so an exemption can never be ambiguous about what it actually excuses.

  • Hard four-eyes separation of duties: The requester of a waiver can never approve or reject it. This is enforced in three independent places at once, so a single compromised account or a coding slip cannot bypass it.

  • Time-bounded by design: Open-ended waivers are rejected outright. Every exemption must carry a future expiry timestamp, and the lifecycle automatically moves a waiver to an expired state once its deadline passes.

  • Mandatory justification and risk acceptance: A waiver request will not open without a written justification, and rejections and revocations require a written reason. The control captures why an exception exists, not just that it does.

  • Tamper-evident audit chain: Every request, approval, rejection and revocation emits a SHA-256 hash of the record before and after the change. The before-and-after pairs let auditors reconstruct and verify the full history without trusting the storage layer.

  • Classification-aware access: Every waiver operation requires at least EU RESTRICTED clearance. Users whose clearance cannot be established are denied by default rather than allowed through.

  • Tenant isolation throughout: Row-level security policies keep each organisation's suppliers, certificates, programmes, waivers and origin rollups invisible to every other tenant across all nine supporting tables.

  • Integrated with the qualification lifecycle: Waivers reference the same CAGE-coded suppliers, certificates and programmes used for onboarding, certificate expiry alerting and corrective-action workflows, so an exception is always traceable back to the asset it covers.

Use Cases#

Defence prime contractors#

A prime managing an approved-supplier list uses waivers to keep a programme moving when a subcontractor's certificate is mid-renewal. The exemption is time-bounded, justified, approved by someone other than the requester, and visible in the same view as the supplier's outstanding corrective actions.

MoD and NATO procurement agencies#

Procurement teams reviewing supplier quality posture can see the full set of active exemptions, who requested each one, who approved it, and when it lapses. The separation-of-duties guarantee and the written justification give auditors exactly the evidence AQAP-2110 and NATO quality assurance reviews expect.

Aerospace and defence integrators#

Integrators consolidating multi-tier subcontractor supply chains use waivers to manage exceptions against AS9100D, NADCAP, AQAP-2110 and ISO/IEC 27001 certificates held deep in the tier graph, while the origin rollup pipeline keeps EDIP eligibility calculations honest even where a temporary exemption is in force.

EDIP-funded programmes#

For programmes funded under the European Defence Industry Programme, exemptions are handled with the same classification controls and tamper-evident audit chain used across the rest of the supply-chain module, supporting the EU RESTRICTED handling requirements that EDIP funding carries.

Integration#

Customers plug into the waiver lifecycle and the wider defence supply-chain model through the platform's GraphQL surface and REST endpoints, secured with OAuth2 and JWT-based session tokens carrying the user's clearance level. The benefit is that a procurement portal, a supplier-relationship system or an existing quality management tool can drive the full request, approve, reject and revoke lifecycle without re-implementing the separation-of-duties or audit logic, because those guarantees live in the platform itself.

  • REST and GraphQL access: Open a waiver, list those awaiting a decision, and retrieve the history for any supplier, programme or certificate through normalised request and response models that map directly to the underlying records.
  • Audit and SIEM streaming: Every state change is emitted as a structured audit event with before-and-after SHA-256 hashes, ready to be forwarded into an existing SIEM pipeline for monitoring and retention.
  • Connectors to the qualification data: Supplier records carry CAGE, DUNS and NATO supplier codes; certificate records carry standard, issue and expiry dates with 90-day and 30-day expiry warnings; programme records carry EDIP origin thresholds. Customers reference these identifiers directly when scoping a waiver.
  • Webhook-friendly lifecycle: Certificate expiry warnings and corrective-action counters feed the same model the waiver workflow draws on, so downstream systems can react to the qualification posture and the exemptions against it in one consistent stream.

Open Standards#

  • AS9100D (SAE/IAQG aerospace quality management): Recognised as a first-class supplier certificate standard, so AS9100D certificates can be registered, tracked for expiry, and individually waived.
  • NADCAP (National Aerospace and Defense Contractors Accreditation Program): Supported as a named certificate standard for special-process accreditation, with the same expiry tracking and waiver lifecycle as other certificates.
  • AQAP-2110 (NATO quality assurance requirements for design, development and production): Supported as a named certificate standard; the four-eyes-enforced, auditable waiver workflow is built to satisfy AQAP-2110 and NATO quality assurance audit expectations.
  • ISO/IEC 27001 (information security management): Recognised as a supplier certificate standard, allowing a supplier's information security certification to be registered and, where justified, waived under the same controls.
  • EDIP (European Defence Industry Programme): Defence programmes carry EDIP origin-percentage thresholds, and EU, NATO and third-country origin rollups are calculated against them, with the waiver controls available where a temporary exception is required.
  • CAGE codes (NATO and US Commercial and Government Entity codes): Used as a primary supplier identifier, so a waiver can be scoped to a precisely identified defence supplier.
  • DUNS (Dun and Bradstreet Data Universal Numbering System): Stored alongside the CAGE and NATO supplier codes as a recognised supplier identifier for cross-referencing with external procurement systems.
  • EU RESTRICTED classification marking (EU Council Decision 2013/488/EU): Set as the minimum access clearance for any waiver operation, aligning the control with EU classified information handling rules.

Security & Compliance#

Separation of duties is the core security property of this capability, and it is enforced defensively rather than trusted to a single check. The requirement that an approver differ from the requester is applied at the service layer, again in the database query that performs the approval, and again as a database constraint on the record itself, so an exemption cannot be self-approved through any path.

Access is gated on classification: every operation requires at least EU RESTRICTED clearance, and a user record whose clearance cannot be read is denied rather than allowed. Tenant isolation is enforced by row-level security across all nine supporting tables, so one organisation's suppliers, certificates, programmes and exemptions are never visible to another.

The audit trail is tamper-evident. Each request, approval, rejection and revocation records a SHA-256 hash of the record before and after the change, captures both the actor and the target, and is streamed to the SIEM pipeline. Justifications are mandatory on creation, and reasons are mandatory on rejection and revocation, giving auditors the full why behind every exception alongside the cryptographic proof that the history has not been altered.

Last Reviewed: 2026-06-01 Last Updated: 2026-06-02

Ready to Build?

Get started with our APIs or contact our integration team for support.