Fortress Information Security's Product Provenance Assessment (PPA) is a hands-on evaluation service that analyzes hardware and software assets to determine the true composition and risk profile of products within an organization's supply chain. The assessment covers three dimensions of risk: **Hardware:** Physical teardowns are conducted to catalog components and assess risks including links to banned entities, counterfeit or gray market parts, obsolete/end-of-life components, and side-channel exploits mapped to known CVEs. **Firmware & Software:** Binary-level analysis maps embedded software elements — including third-party libraries, dependencies, and hard-coded logic — to identify known CVE vulnerabilities, hard-coded credentials, and use of high-risk or insecure open source dependencies. **Supplier:** Intelligence analysis examines geopolitical and structural risks associated with suppliers, including foreign ownership, headquarters and operational locations, mergers and acquisitions, manufacturing site exposure, internet footprint, and fourth-party relationships. PPAs are available as one-time assessments or as a recurring service integrated into procurement, asset onboarding, acceptance testing, and lifecycle management processes. Continuous monitoring capabilities provide alerts for newly discovered vulnerabilities, changes in manufacturer foreign presence, and new associations with banned or restricted entities.