Software Assurance Guardian (SAG) is a patented (US11,374,961) software supply chain risk management (SCRM) tool developed for critical infrastructure operators. It assesses software objects — defined as any digital object containing, constructed by, or considered software — for integrity and authenticity using a comprehensive methodology aligned with CISA SCRM best practices, NIST SP 800-161r1, and OMB M-22-18 guidance. The SAG methodology evaluates software objects across 7 risk categories and 62 independent risk factors to produce a trust score called the SAGScore™. This score represents the assessed trustworthiness of a software object before and during deployment in a digital ecosystem. The product family includes two primary components: - SAG-PM™ (SAG Point Man): The first available product in the family, focused on software supply chain risk management and local assessment execution. - SAG-CTR™ (SAG Cyber Trust Registry): A centralized trust registry ("List of Trusted Software Objects") that aggregates SAG assessment results globally, enabling organizations to look up trust scores for software products before purchase or installation. It also issues trust labels and monitors for new vulnerabilities in already-installed products. SAG is designed to help organizations — particularly smaller critical infrastructure operators — verify software trustworthiness prior to installation, satisfy CISA Secure Software Attestation Form requirements, and detect known exploited vulnerabilities (CISA KEVs) in their software supply chain. The SAG-CTR registry also lists products bearing recognized trust marks such as the FCC US Cyber Trust Mark and EU CE Mark.