The NTIA requirements define Supplier as the "The name of an entity that creates, defines, and identifies components."
https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf (Page 9)

The SPDX v2.3 spec defines Supplier differently as "the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package"

What the NTIA document actually calls for from SPDX is the Originator ("this field identifies from where or whom the package originally came"). https://spdx.github.io/spdx-spec/v2.3/package-information/#76-package-originator-field

The ntia-conformance-checker only checks for the supplier field. The requirement may be satisfied by either the supplier or the originator field in the SPDX spec. Can we please modify the checker to look for both fields?

@jrruwe-f5, that makes sense to me. Thanks for the bug report. I should be able to put in a PR later this week.