Verification Record
AOS-BCM-2026-002-v1.1

Broadcom Structural Exposure Assessment

A jurisdictional assessment of Commonwealth dependence on VMware products contracted through corporate entities controlled by Broadcom Inc. This page records that the assessment is structured in three layers: facts verified against primary sources, author reasoning over those facts with each contestable step named, and the findings resting on that reasoning. Every block is labelled by its kind.

Reference
AOS-BCM-2026-002-v1.1
Date
June 2026
Classification
Released
Version
1.1
Signed by
Brunel Al-Bijwaie, Director, AustraliaOS Pty Ltd
Status

Verification status

The assessment is structured in three layers. Each layer carries a different kind of attestation. The counts below show what is in the document; the CLAIM verdicts below show the engine result for the verified layer.

CLAIMs
40
Analyses
43

CLAIMs are facts tested by the AustraliaOS verification engine against primary sources. ANALYSIS blocks are labelled AUTHOR REASONED: each is the director's reasoning over CLAIMs and names the step at which a reasonable reader could disagree. This assessment carries 43 ANALYSIS blocks and no RECOMMENDATION blocks; it states a structural finding rather than proposing actions.

CLAIM verdicts

Supported
29
Partially Supported
11
Not Supported
0
Unverified
0

SUPPORTED indicates the CLAIM is confirmed by at least one primary source. PARTIALLY SUPPORTED indicates the source pool confirms the substance of the CLAIM but a specific element in the evidence assembly diverges, rotates across runs, or rests on a self-reported rather than an independent source. NOT SUPPORTED would indicate the source contradicts the CLAIM. UNVERIFIED would indicate the source was inaccessible at the time of publication. The 29 SUPPORTED, 11 PARTIALLY SUPPORTED, 0 NOT SUPPORTED, 0 UNVERIFIED census records publication-eligible verification of every CLAIM in the assessment; each PARTIALLY SUPPORTED CLAIM is named below with its grounds.

The eleven PARTIALLY SUPPORTED CLAIMs, by name:

  • CLAIM B — the redomiciliation completion date of 4 April 2018 is confirmed, but "redomiciled" is imprecise: a new Delaware parent, Broadcom Inc., became the publicly traded parent while the Singapore entity continued as a subsidiary.
  • CLAIM C — Broadcom is within CFIUS reach on the facts both Broadcom and the independent Skadden analysis share; the CFIUS review of Brocade rests on Broadcom's own disclosure, with no independent government clearance document in the source pool.
  • CLAIM F — VMware Australia Pty Ltd is a wholly owned downstream subsidiary; the chain link to the Irish parent is partly inferred across the corporate-register sources.
  • CLAIM J — the reach of US subpoena power to a parent and to data under a subsidiary's practical control is a legal characterisation whose application turns on facts the procurement record does not settle.
  • CLAIM Q — the ISM is produced by the ACSC within ASD; the precise authorship attribution is corroborated across the administering-authority pages.
  • CLAIM R — IRAP provides independent assessment of systems against the ISM; single-source administering-authority attestation.
  • CLAIM S — the scope characterisation conflates ISM (a framework of controls) with IRAP (an assessment service); the source pages describe cyber security scope without stating the home-jurisdiction exclusion directly.
  • CLAIM X — the six named agencies are present in the dataset; the specific six-agency selection from the twenty-two is the author's, drawn from the per-agency records.
  • CLAIM FF — VMware LLC and VMware International Unlimited Company are wholly owned subsidiaries; compound entity claim with derivation residue across the SEC sources.
  • CLAIM ZZ — the ATO contract identification (CN4142919-A1) is confirmed against the AusTender record; the deployment characterisation is left open on the face of the record.
  • CLAIM CCC — the AFP contract identification (CN4126523-A1) is confirmed against the AusTender record; the SaaS-Cloud category is taken from the published notice.

The CLAIMs split into the legal-framework claims that establish the statutory boundaries (attested by the United States statute texts, including 18 USC 2713, 18 USC 2709, and 18 USC 2523, the Export Administration Regulations administering authorities, and the Federal Register Presidential Order on the Qualcomm takeover), the Broadcom corporate-chain claims (attested by SEC EDGAR filings including the Broadcom 10-K and the Exhibit 21.1 list of subsidiaries, the Broadcom investor redomiciliation releases, the Irish Companies Registration Office, the Australian Modern Slavery Register, and the Australian Business Register), the Australia-United States CLOUD Act Agreement claims (attested by the Attorney-General's Department International Production Orders framework page, the Department of Justice agreement text, the Department of Home Affairs signed PDF, and the Federal Register Section 2523(b) certification), the Australian security-framework claims (attested by the cyber.gov.au ISM and IRAP pages and the ACSC-within-ASD attestation), and the Commonwealth procurement claims (attested by AusTender Contract Notices for supplier "VMware" over the three years ending 13 May 2026).

The 43 ANALYSIS blocks carry the assessment's reasoning over those CLAIMs: how Section 2713 reach turns on deployment rather than residency, how supply-continuity and corporate-control exposure attach to the corporate chain regardless of deployment, the per-contract worked examples for the ATO, AFP and ASD contracts, and the structural finding that the exposure is assessable but unassessed by the existing frameworks. Each names the step at which a reasonable reader could disagree.

Board provenance

Verdict census frozen in the canonical board file VERIFICATION-2026-06-11-AUTO.md at agentos commit b10ce67 (2026-06-11). No per-assessment audit-chain entry is published for this board.

Sources

Primary sources

Verification draws on five categories of primary source. Each category is named below with the entities and claims it attests. The Commonwealth procurement records for the named-agency figures link directly to their government records on AusTender.

Commonwealth procurement records (AusTender)
Broadcom corporate chain sources
  • SEC EDGAR Broadcom Inc Form 10-K cover (Delaware incorporation, NASDAQ: AVGO)
  • SEC EDGAR Broadcom Inc Exhibit 21.1 list of subsidiaries (VMware LLC, VMware International Unlimited Company)
  • Broadcom investor relations redomiciliation releases (expected and completed) and the SEC Form 8-K completion filing
  • Irish Companies Registration Office record for VMware International Unlimited Company
  • Australian Modern Slavery Register statement and Australian Business Register record for VMware Australia Pty Ltd
United States legal mechanism sources
  • Cornell Legal Information Institute texts of 18 USC 2713, 18 USC 2709, and 18 USC 2523
  • Bureau of Industry and Security (Export Administration Regulations) and Office of Foreign Assets Control administering-authority pages
  • Federal Register Presidential Order of 12 March 2018 prohibiting Broadcom's proposed acquisition of Qualcomm, with the Broadcom Form 8-K compliance disclosure
Australia-US CLOUD Act Agreement sources
  • Attorney-General's Department International Production Orders framework page
  • US Department of Justice published agreement text
  • Department of Home Affairs signed agreement PDF
  • Federal Register Section 2523(b) executive certification of the Agreement
Australian security framework sources
  • cyber.gov.au Information Security Manual page (ISM scope and authorship)
  • cyber.gov.au Information Security Registered Assessors Program page (IRAP scope)
  • cyber.gov.au About page (ACSC within the Australian Signals Directorate)
Scope

What this page is not

This verification record confirms that the claims in the Broadcom Structural Exposure Assessment match what the named primary sources state at the time of publication. It is not a guarantee of fact about the third parties named in the assessment. Subsequent changes to those sources may not be reflected here. The assessment itself, not this verification page, is the decision support artefact. This is AustraliaOS's own verification, performed to a published method and independently checkable by the reader against the cited primary sources. It is not a third-party audit or certification.

Third-party names and marks are the property of their respective owners. AustraliaOS is not affiliated with, authorised by, or endorsed by Broadcom Inc, VMware, or any vendor named. Analysis and general information, not legal advice. See the assessment for its full limits and disclaimers. Obtain your own legal advice.

For accountability, signing, and correction process, see the Accountability Statement.

Download

Assessment PDF

The full assessment, signed by the director, is available below. The verification status set out on this page is reflected in the document footer.

Download Broadcom Structural Exposure Assessment v1.1 PDF
PDF · approximately 137 KB · signed by Brunel Al-Bijwaie, Director
SHA 256: 2f37346821b2a50d719aa0d98aa5f6eb066a57328dad6bbb13ed7e1a2f7ea282
Recompute the SHA 256 with shasum -a 256 or sha256sum to confirm this file is unaltered since publication.
Brunel Al-Bijwaie
Director, AustraliaOS Pty Ltd
Back to Home Accountability Statement