With escalating cybersecurity threats exploiting software supply chain vulnerabilities, there’s an urgent need for better understanding and proactive measures to identify and prevent future risks. Members of OASIS Open, the global open source and standards organization, have formed the Open Supply Chain Information Modeling (OSIM) Technical Committee (TC) to standardize and promote information models crucial to supply chain security.
The aim of OSIM is to build a unifying framework that sits on top of existing SBOM data models – such as CSAF, CycloneDX, OpenVEX, and SPDX. OSIM is not intended to replace or endorse any one of these models. Instead, as an information model, OSIM will bring clarity to software supply chain partners, mitigate vulnerabilities and disruptions, reduce security risks, and make it easier for companies to plan for upgrades and contingencies.
“CISA is excited to be a part of this technical effort to bring greater visibility to the software supply chain,” said Allan Friedman, Senior Technical Advisor at CISA. “We have many of the basic building blocks for software transparency and security, including SBOM, VEX, and CSAF. This work by OASIS will facilitate automation for easier and cheaper implementation and tooling, and help provide a unifying supply chain framework and raise the level of collaboration across industries.”
“OSIM represents an important effort to address the need for greater structure and comprehensibility of software supply chains,” said Isaac Hepworth, Google, and OSIM co-chair. “By establishing standardized information models we can enhance transparency, interoperability, and resilience in end-to-end operations – ultimately aiding cyber risk management and protecting critical infrastructure.”
Recognizing the crucial role of Software Bill of Materials (SBOMs) in fortifying software supply chain security, the OSIM TC aims to create, for example, a standardized SBOM information model that would enhance understanding and interoperability across diverse SBOM data formats (i.e. SPDX and CycloneDX). Competing data models, like SPDX, CycloneDX, CSAF, and OpenVex, show the need for creating information models that would bring coherence across diverse specifications.
“OSIM’s approach not only drives a universal taxonomy of thought, it also brings clarity and ease to how we implement standards and frameworks to support multiple industry software supply chain security needs. OSIM facilitates the identification of similarities and differences across specifications, enhancing interoperability and simplifying processes. The current cybersecurity landscape can no longer be defended in a silo,” said Jay White, Microsoft, and OSIM co-chair.
The OSIM TC welcomes a diverse range of contributors, including software and hardware vendors, open-source maintainers, technology consultants, business stakeholders, government organizations, and regulatory bodies. Participation is open to all through membership in OASIS, with interested parties encouraged to join and contribute to shaping the future of supply chain information modeling.