Introducing Manifest Foreign Risk

Kayleen Standridge

June 4, 2026

An honest perspective on the recent White House Executive Order

Know Who Wrote the Code in Your Software

‍
Today, we are launching Manifest Foreign Risk, a new generally available capability that gives security teams contributor-level visibility into the open source components inside their software.

For the first time, organizations can systematically identify whether open source contributors are affiliated with sanctioned nations, foreign military organizations, intelligence agencies, or state-controlled institutions, and act on that information before software ships.

Why We Built This

Government, defense, and enterprise customers have been asking us the same question for years: how do we know there is no foreign influence in the software we build and buy?

Until now, there was no good answer.

Security teams could tell you what was in their software. They could tell you which components had known vulnerabilities, which licenses applied, and which vendors had passed a questionnaire. What they could not tell you was who wrote the code? Where those contributors were based. Who employed them? What institutions appeared in their professional history?

That is the gap Manifest Foreign Risk closes.

Why This Matters

This launch is not happening in a vacuum. The regulatory environment has shifted in ways that make contributor provenance a business-critical concern, not just a security nicety.

In May 2024, DoW issued Instruction 5205.87, extending Foreign Ownership, Control, or Influence (FOCI) requirements to any company holding unclassified DoW contracts over $5M. What was once limited to cleared contractors and classified programs now applies across a much broader slice of the defense industrial base, including commercial software vendors who have never considered FOCI their problem.

DoW now has explicit authority to cancel contracts or require mitigation if FOCI is found. As we explored in past blogs, this is part of a broader shift in how governments are thinking about software risk. It is no longer purely about vulnerabilities. It is about control, authorship, and provenance.

Defense is not the only sector feeling this pressure. The BIS Connected Vehicles rule,, prohibits vehicles containing software tied to Chinese or Russian ownership or control starting in Model Year 2027. The pattern is clear. Regulators across sectors are deciding that knowing what is in your software is no longer enough. You need to know who shaped it.

What Manifest Foreign Risk Does

Manifest Foreign Risk analyzes the contributors behind open source components in any software bill of materials (SBOM). It draws on a database of 20 billion foreign risk records across 18 risk categories, including government affiliation, military ties, security and intelligence associations, defense university connections, restricted entity links, and more. All sourced from public records, corporate filings, sanctions lists, and open source intelligence (OSINT).

Every contributor surfaces with one of three risk signals.

Banned Country. Commit metadata, residency, or organizational affiliation places this contributor in a country on your prohibited list.

Institution Association. The contributor or their employer is institutionally linked to a foreign military, intelligence agency, or state-controlled lab.

Unknown. The identity cannot be verified. Anonymized email, throwaway handle, or insufficient public footprint, flagged for human review before release.

The capability is policy-driven. Every risk category can be enabled or disabled based on your organization's requirements. Findings are configurable to your thresholds, exportable as evidence, and traceable to a specific author or library.

Who This Is For

Manifest Foreign Risk is built for the teams that own software supply chain risk in practice.

AppSec and product security teams can treat contributor flags the way they treat CVEs: severity, owner, review date, and a gate on future introductions. TPRM teams can surface findings in vendor assessments and require written responses that create accountability and an audit trail. GRC teams can map findings to NIST 800-53 SR-3 and SR-4 controls, support Cybersecurity Maturity Model Certification (CMMC) documentation requirements, and build a board-reportable metric from quarterly re-runs.

For all three, the immediate value is the same: evidence you can bring to a program office, contracting officer, or auditor. Not a score. Not a report. A documented finding with a name, a source, and a severity behind it.

What Comes Next

Manifest Foreign Risk is available now as part of The Manifest Platform.

CVEs get triaged. Licenses get reviewed. Vendors get questionnaires. The contributor behind the code has been the missing piece. That changes today.

See Manifest Foreign Risk in action.

You might be interested in

August 14, 2025

AI at Black Hat USA 2025

From the Black Hat USA 2025 conference in Las Vegas, Daniel Bardenstein shares firsthand insights on AI’s rise as a top CISO concern, the lack of AI risk management tools, vulnerability overload, and third-party risk blind spots.

Daniel Bardenstein

October 6, 2025

From Static ATO to Continuous ATO

Transition from static ATO to continuous ATO with Manifest. Automate SBOMs, monitor supply chain risks, and ensure real-time compliance for modern authorization.

Alistair Chase

November 7, 2023

Manifest now supports VEX!

Announcing Manifest’s new VEX feature, allowing customers to easily generate and share information about vulnerabilities.

Daniel Bardenstein

“Manifest knows the AIBOM and cybersecurity space, sees the problems arising, and always has a solution to showcase.”

Manager of Global Technology Legal Compliance,

Multinational Software Company

Secure your software supply chain today.

Get a demo