Lenovo's product supply chain has been recognized in
Gartner's Top 25 rankings the past three years. It plays a critical role in the
development, manufacture, and delivery of our products. The supply chain begins with
the management and control of a qualified supplier base, which provides qualified
and secure components for use in development and manufacturing.
Critical, large volume
components are tracked via barcodes, and controlled in the supplier’s inventory and
assembly process until receipt at Lenovo. Manufacturing takes place in a secure,
controlled environment, including a secure physical facility, and a secure network.
Completed products are then packaged with tamper-evident seals for boxes and pallets.
Shipments are then tracked from origin to customer delivery.
The diagram below shows the complete product life cycle. The Supply Chain involves
the areas identified as Suppliers, and Lenovo Manufacturing and Test.
In addition, there is
technical work required to support the product throughout its life. Once the product is
shipped, there is typically a need to qualify components to replace any end-of-life
(EOL) parts, as well as a need to provide BIOS/firmware updates through a secure
process. These are part of the overall Life Cycle Management and Support of the
Product Planning and
Development involves many areas throughout the product life cycle. Planning activity
begins by defining security requirements when products are first being conceived In
order to balance needs of security and data availability. Enhancements are in process to
include ongoing review and improvements to critical secure development processes through
which the products are designed and tested. Once the security requirements are
documented, Lenovo’s product development teams establish plans to incorporate
appropriate features into the new products. The Development phase focuses on the
- Development and Qualifications
Supplier Management & Control
A strong supplier base in the product supply chain – including
ODMs, OEMs, component manufacturers, BIOS and software providers -- is critical to the
success of any technology device maker. To help ensure this, Lenovo has a process for
qualifying its core suppliers, and then formally evaluating them on a quarterly basis.
Many Lenovo suppliers have been its partners for over 20 years. These relationships are
carefully managed and new suppliers are thoroughly assessed.
Lenovo has enhanced our supplier relationships through a Trusted Supplier Program.
The goal of the program is management of customer risk through the implementation of a
documented and auditable supply chain security program as one part of the total product
security process. The Trusted Supplier Program focuses on suppliers of intelligent
components, ODM’s, OEM’s, and repair service providers that could impact customer
Intelligent components include:
- Any software or firmware program on any microprocessor,
- The microprocessor itself,
- Any semiconductor device that has data processing ability,
- Any component or device that has internal memory,
- Any component or device that performs an input/output function
Lenovo proactively and continually reviews its sourcing
requirements to ensure that we keep up with - and stay ahead of - trends and
vulnerabilities as they arise in the technology marketplace.
Lenovo’s work to ensure the security of its products and supply chain has been recognized
by Chain Security, LLC, one of the leading security firms in the United States. This
conclusion comes after almost three years of detailed study into Lenovo’s security processes,
corporate governance and supplier programs. The result of this analysis is a 20-page Letter
of Attestation in which Chain Security details their work with Lenovo, the changes and
improvements Lenovo has made in the last two years and Chain Security’s conclusion that Lenovo
“is likely ahead of the industry” in terms of these security processes.
To read the full letter, click here.
Lenovo relies on its global supply chain to help design, build,
and deliver technology solutions our customers can trust. Strategically, there are five
key areas/steps that we follow in managing risks to the supply chain:
- Identify potential risks to the supply chain;
- Protect Lenovo’s supply chain with special controls;
- Detect issues early, giving more time and options with which to respond;
- Respond as quickly as possible to mitigate any threats; and
- Recover with minimal disruption to customers by designing a supply chain that is
To fulfill this strategy, Lenovo constantly keeps its supply
chain systems evaluated, updated, and optimized to meet customer and business needs.
- Lenovo regularly audits our suppliers and vendors for compliance, security, and
financial health. For critical components, there will be an assessment on the need
for multiple suppliers (or multiple supplier manufacturing sites).
- Lenovo also closely monitors internal processes, testing the strength of our
controls on a regular basis.
Any circumstance that impacts our ability to meet our customers’ needs must be
monitored, analyzed, and managed - and eventually mitigated. By identifying issues
early, Lenovo can:
- Adjust supply chains to minimize impact
- Work with suppliers to address issues
- Replace supplier if issues remain unresolved
Minimizing risk for both Lenovo and its customers in the supply
chain is critical.
A secure manufacturing site requires the following:
- Physical security: strong practices and controls manage the security of personnel
and physical plants. This includes access controls, and monitoring of visitors and
- Secure manufacturing processes: inside manufacturing areas, production processes and
controls are closely managed, while major components and subassemblies are tracked
electronically. Final products are inspected, and then tested to confirm they meet
security, reliability, and functionality requirements.
- Secure software imaging and BIOS distribution: customer imaging (i.e. the
pre-installation of customer selected OS and other application software) and BIOS
setup are sensitive steps in the manufacturing process; Lenovo takes extra
precautions to keep these protected from any kind of outside tampering.
Lenovo logistics covers packaging, shipping, and
delivery. Once the products are built and tested, they are packaged and prepared for
shipping with tamper-evident materials so that any problems can be noticed immediately
and in route, and the incident investigated. After packaging, Lenovo works with
qualified logistics suppliers to safely deliver products to end customers. Protection
throughout the shipping process includes secure facilities, trucks and conveyances, and
thoroughly-screened employees, visitors, and drivers. Shipments are tracked from the
time they leave Lenovo buildings until they are received at a customer's location.
Lenovo's commitment to security continues well after products
are delivered to customers. Operating system and applications software, chipsets,
firmware, and BIOS can have frequent updates from Lenovo as well as its ecosystem
suppliers,including phone carriers. These updates can be scheduled improvements,
or they can be in response to work done by the PSIRT to fix a security vulnerability.
Whatever the reason, Lenovo has processes in place for the
secure delivery of software updates and componentry throughout the life of the
product, even in instances when suppliers may have ended production of components being
used in Lenovo systems. This creates a need to qualify new parts that can be used for
service. Lenovo is committed to source replacement parts from suppliers on the Trusted