[Verse 1]
When components cross the border, secrets hidden in the code
NIST eight-oh-one-six-one revision one shows the road
Suppliers nest like Russian dolls, each layer holds a key
Compromise spreads upstream fast, infecting all you see
[Chorus]
Build means trust your blueprints, Partner means verify
Buy means deepest scrutiny before you certify
Tiers cascade from critical down to commodity
Supply chain armor weakens at its frailest boundary
[Verse 2]
Controlled Goods Program registration, maple leaf and crown
Canadian secrets stay secure when systems lock them down
Designate your officers, train staff on what they guard
Physical and digital domains both need your regard
[Chorus]
Build means trust your blueprints, Partner means verify
Buy means deepest scrutiny before you certify
Tiers cascade from critical down to commodity
Supply chain armor weakens at its frailest boundary
[Verse 3]
ITAR locks down military tech, State Department's eyes
Export Administration Rules watch commerce in disguise
Dual-use items need a license, categories define the scope
Canadian firms must navigate these regulations rope by rope
[Bridge]
Vendor questionnaires reveal the truth beneath the surface shine
Software bills of materials map each component line
Continuous monitoring catches threats that evolve each day
Third-party assessments validate what vendors say
[Chorus]
Build means trust your blueprints, Partner means verify
Buy means deepest scrutiny before you certify
Tiers cascade from critical down to commodity
Supply chain armor weakens at its frailest boundary
[Outro]
Risk acceptance, risk transfer, mitigation or avoid
Defence Industrial Strategy keeps the nation's trust deployed