cispec

org.cispec.vendor

recommended: any CI acquired through or serviced by a third-party commercial entity

org.cispec.vendor identifies who sells or services a Change Item to the owning organisation — the entity the organisation has a direct commercial relationship with. This is distinct from org.cispec.manufacturer, which identifies who produces the thing.

In most supply chains these are different entities: Cisco manufactures the switch; CDW sells it. Pfizer manufactures the vaccine; a GPO or distributor supplies it. Anthropic manufactures the Claude models; AWS Marketplace or a reseller may be the commercial vendor. Lockheed Martin manufactures the F-35; the DLA or a prime contractor may be the procurement vendor for specific components or services.

The distinction matters operationally: manufacturer is who to call for a product recall, a CVE advisory, or a firmware update. vendor is who to call for a contract dispute, a renewal, a support ticket, or an invoice query. Both facts are needed; neither is derivable from the other.

Applies to any CI with a vendor relationship: physical equipment, software licences, SaaS products, AI API access, maintenance contracts, pharmaceutical supply, facility services.

Value format

The vendor’s commonly used trading name.

org.cispec.vendor=CDW
org.cispec.vendor=AWS-Marketplace
org.cispec.vendor=McKesson
org.cispec.vendor=Anthropic
org.cispec.vendor=Booz-Allen-Hamilton

Note: where the manufacturer sells directly with no intermediary, vendor and manufacturer may carry the same value. This is not a redundancy — it is a statement that the commercial relationship is direct.

Conformance

org.cispec.vendor is RECOMMENDED for any CI with a vendor relationship. Not REQUIRED for Declared conformance.

Attestation

vendor is independently attestable against procurement records, invoices, and contract documentation. For federal procurement, vendornames are verifiable against SAM.gov registrations.

Resolution and relation

Every Change Item sharing the same vendor value forms an edge in the namespace’s knowledge graph — “every CI sourced from CDW” is a real, expected query for vendor risk management, contract renewal planning, and supply chain security reviews.

Document identifier

OID: 1.3.6.1.4.1.42387.2.3.8
GUID: b57413eb-ea61-5ce2-a9a9-274832e2eea0

Related terms