OSIM

OASIS Launches Global Initiative to Standardize Supply Chain Information Models

Boston, MA – 20 June 2024 – With escalating cybersecurity threats exploiting software supply chain vulnerabilities, there’s an urgent need for better understanding and proactive measures to identify and prevent future risks. Members of OASIS Open, the global open source and standards organization, have formed the Open Supply Chain Information Modeling (OSIM) Technical Committee (TC) to standardize and promote information models crucial to supply chain security. 

The aim of OSIM is to build a unifying framework that sits on top of existing SBOM data models–such as CSAF, CycloneDX, OpenVEX, and SPDX. OSIM is not intended to replace or endorse any one of these models. Instead, as an information model, OSIM will bring clarity to software supply chain partners, mitigate vulnerabilities and disruptions, reduce security risks, and make it easier for companies to plan for upgrades and contingencies.

“CISA is excited to be a part of this technical effort to bring greater visibility to the software supply chain,” said Allan Friedman, Senior Technical Advisor at CISA. “We have many of the basic building blocks for software transparency and security, including SBOM, VEX, and CSAF. This work by OASIS will facilitate automation for easier and cheaper implementation and tooling, and help provide a unifying supply chain framework and raise the level of collaboration across industries.”

“OSIM represents an important effort to address the need for greater structure and comprehensibility of software supply chains,” said Isaac Hepworth, Google, and OSIM co-chair. “By establishing standardized information models we can enhance transparency, interoperability, and resilience in end-to-end operations — ultimately aiding cyber risk management and protecting critical infrastructure.”

Recognizing the crucial role of Software Bill of Materials (SBOMs) in fortifying software supply chain security, the OSIM TC aims to create, for example, a standardized SBOM information model that would enhance understanding and interoperability across diverse SBOM data formats (i.e. SPDX and CycloneDX). Competing data models, like SPDX, CycloneDX, CSAF, and OpenVex, show the need for creating information models that would bring coherence across diverse specifications.

“OSIM’s approach not only drives a universal taxonomy of thought, it also brings clarity and ease to how we implement standards and frameworks to support multiple industry software supply chain security needs. OSIM facilitates the identification of similarities and differences across specifications, enhancing interoperability and simplifying processes. The current cybersecurity landscape can no longer be defended in a silo,” said Jay White, Microsoft, and OSIM co-chair.

The OSIM TC welcomes a diverse range of contributors, including software and hardware vendors, open-source maintainers, technology consultants, business stakeholders, government organizations, and regulatory bodies. Participation is open to all through membership in OASIS, with interested parties encouraged to join and contribute to shaping the future of supply chain information modeling.

Support for OSIM

Checkmarx
“Checkmarx is proud to be working with OASIS and be part of the OSIM Technical Committee. A major part of Checkmarx’ mission to secure the applications driving our world involves sharing our time, experience, and threat intelligence to help make the software supply chain ecosystem safer. As one of the biggest challenges remains education and closing the knowledge gap, we believe standardization is a crucial step and are committed to assisting in laying the foundations.”
– Erez Yalon, VP of Security Research, Checkmarx

Root
“The OASIS OSIM is a vital project for enhancing security and trust in the software supply chain. As a part of the OSIM Technical Committee, Root is committed to advancing supply chain security and transparency, aligning perfectly with this initiative’s goals. By collaborating on data schemas, data modeling, and security standards, we aim to improve vulnerability management and software security, ensuring threats are identified and mitigated promptly. This enhances software integrity, benefiting our customers and strengthening trust in the broader digital ecosystem.”
– Ian Riopel, CEO, Root.io

SAP SE
“Having a unified information model for representation of objects in the supply chain domain would enable efficient integration models and interoperability. Especially with the wave for generative AI, such aligned models can bring benefits in development efficiency , reduced maintenance and operations for upcoming innovations in the domain.”
– Gururaj Raman, Chief Development Expert, SAP SE

Additional Information
OSIM Project Charter

Disclaimer: CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked or referenced within this press release. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Introducing the Open Supply-Chain Information Modeling (OSIM) Technical Committee

Supply chain security has emerged as a critical concern for businesses in every sector. The importance of standardized, trustworthy, and interoperable information models cannot be overstated. Addressing this need, the OASIS Open Supply Chain Information Modeling (OSIM) Technical Committee (TC) is being formed to enhance supply chain management worldwide. The initial TC members include AT&T, Cisco, Google, Microsoft, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others listed in the charter.

You can read the full blog published on Cisco’s website here.

Introducing OASIS Open Supply Chain Information Modeling

Cybersecurity threats have evolved significantly over the years, with cyber attackers constantly finding new ways to exploit vulnerabilities in software systems. From worms and viruses to the more recent ransomware attacks, the cost of cybercrime continues to rise. Not only are financial losses mounting, but the potential impact on critical infrastructure such as healthcare systems is also a cause for concern. Recent breaches like Log4Shell, SolarWinds, and XZ underscore the vulnerabilities within our software supply chains. These incidents highlight the critical need for understanding software supply chains, their vulnerabilities, and ways to prevent, detect, mitigate, and recover from attacks. To do this requires understanding the supply chain, which is hard in today’s environment.

The OASIS Open Supply Chain Information Modeling (OSIM) Technical Committee aims to standardize and promote information models for supply chains.

The Role of OSIM

OSIM members will work to standardize the representation of information related to supply chains. Unlike data models, information models operate at a higher level of abstraction. They offer a holistic view of the supply chain ecosystem, facilitating a better understanding of the existing data formats, where similarities exist, where gaps exist, and how to utilize the inherent information in them.

Exploring Information Models

While data modeling focuses on implementing data structures, information modeling provides an abstract model that precedes knowledge modeling. Despite the current emphasis on data modeling, there’s a notable lack of attention given to information modeling, particularly in sectors such as supply chain software and cybersecurity. To address this gap, exploring specific use cases and adopting tools like JSON Abstract Data Notation (JADN), an OASIS specification for information modeling, is essential.

Using Software Bill of Materials (SBOM) as an example, the acute need for SBOMs has spurred significant work in recent years, highlighting the value of SBOMs and driving the implementation of several different SBOM data formats (e.g. SPDX and CycloneDX). And those formats can portray data other than SBOM (e.g. vulnerability exploitability, licensing). So what makes an SBOM an SBOM? That is a question OSIM can answer with an SBOM information model. Besides being used to compare the features of the various data formats, the resulting information model can then be used as input to knowledge model graphs for defining the semantics/knowledge/meaning.

Another example is Vulnerability Exploitability eXchange (VEX) which is even newer and also has multiple evolving data formats (CSAF, CycloneDX, OpenVex, SPDX). What makes a VEX a VEX? And what elements are in common with SBOM or have relationships with elements in an SBOM? This question becomes even more important as SBOM and VEX begin to appear in regulations and contractual procurement documents.

Standardizing Supply Chain Information Models

The U.S. government, through agencies like the National Telecommunications and Information Administration (NTIA) and Cybersecurity and Infrastructure Security Agency (CISA), is recognizing the need for transparency and accountability in software procurement. They are requiring vendors to disclose what’s in their software through SBOMs to aid in identifying vulnerabilities.

However, the existence of various competing data models (SPDX, CycloneDX, CSAF, OpenVex) highlights the necessity for creating information models. By establishing a standard framework that sits atop existing data models, it defines the essence of “what is an SBOM?”, “what is a VEX” and it becomes easier to identify commonalities and differences across diverse specifications. Such a model could streamline interoperability and facilitate software conversion processes. While challenges persist, efforts to standardize supply chain information modeling aim to bring clarity and coherence to the complex landscape of software supply chains.

The goal of OSIM isn’t to create yet another competing standard but to provide a unifying framework. By standardizing OSIM, we can bridge the gap between existing data models emphasizing interoperability and collaboration among multiple standards.

Collaboration is Key

OSIM is paving the way for a safer and more resilient digital future with a secure software supply chain ecosystem. Achieving creation and widespread adoption of OSIM of supply chain information models will require collaboration among stakeholders across industries. Whether you’re a customer, a vendor, or a solution provider, your involvement is crucial.

To help shape the future of supply chain security and participate from the start, we encourage you to join the OSIM TC. View the project’s final charter and the call for participation. Contact join@oasis-open.org for more information.

About the Author
Duncan Sparrell’s mission is to make the world a safer place. He has more than 45 years of expertise in conceiving, developing, and delivering state-of-the art software platforms. He has been involved in cybersecurity since 1990 and retired as AT&T’s Chief Security Architect. Currently, Duncan is semi-retired but serving on various boards, including OASIS Open, and focuses his experience on boutique consulting at the intersection of cybersecurity, standards, and software at sFractal Consulting. He was awarded the US Intelligence Community Seal Medallion in 1994 and the AT&T Science and Technology Medal in 2010. In 2021, Duncan was named an OASIS Distinguished Contributor for his significant impact advancing open standards and open source projects and was recently featured in an OASIS Board Member Spotlight profile interview. Duncan’s tagline is “Think evilly, act ethically.”

Call for Participation: OASIS Open Supplychain Information Modeling (OSIM) TC

A new OASIS technical committee is being formed. The OASIS Open Supplychain Information Modeling (OSIM) TC has been proposed by sFractal, AT&T, Cisco, Google, Microsoft, the U.S. DHS-CISA and NSA, and others listed in the charter. The goal is to bring clarity to software supply chain partners, reduce vulnerabilities, disruptions, and security risks, and make it easier for companies to plan for upgrades and contingencies. The official charter is included below. The public TC homepage is here.

All interested parties are welcome to join this TC. To participate:

  • You must be an employee or designee of an OASIS TC member organization or an individual member of OASIS, and
  • You must submit a request to join the OSIM TC using this form. Your request must be approved by your employer’s Primary Representative. OASIS Staff will work with you to obtain that approval.

To be considered a voting member at the first meeting:

  • You must join the TC by May 28, 2024 and
  • You must attend the first meeting of the TC, on June 4, 2024 at 1pm ET. Note: no work, including technical discussions or contributions, may occur prior to the first TC meeting.

You also may join the TC at a later time.

If your employer is already on the OASIS TC member roster, you may participate in OASIS Open Supplychain Information Modeling (OSIM) TC (or any of our TCs) at no additional cost.

If your employer is not a member, we’re happy to help you join OASIS. Contact us to discuss your options for TC membership.

Please feel free to forward this announcement to any other interested parties or appropriate lists. We encourage and welcome your participation.

CALL FOR PARTICIPATION

OASIS Open Supplychain Information Modeling (OSIM) TC

The charter for this TC is as follows:

Section 1: TC Charter
1.a. TC Name

OASIS Open Supplychain Information Modeling (OSIM) TC
1.b. Statement of Purpose

The OASIS Open Supplychain Information Modeling (OSIM) TC aims to standardize and promote information models about all aspects of supply chains.

An Information Model (IM) defines the essential content of messages used in computing, independently of how those messages are represented (i.e., serialized) for communication or storage. Information models are a means to understand and document the essential information content relevant to a system, application, or protocol exchange without regard to how that information is represented in actual implementations. Having a clear view of the information required provides clarity regarding the goals that the eventual implementation must satisfy.
1.c. Business Benefits
 
The establishment of information models and associated explanatory materials will benefit a wide array of stakeholders across the software and hardware industries. The key beneficiaries of this work can be broadly categorized into the following groups:

Software and Hardware Vendors: Standardized information models will provide clarity acrosssupply chains reducing the confusion and inefficiencies that result from the various diverse implementations of data exchanges across participants in supply chains. It will help vendors plan their product updates, support, and discontinuation more effectively and transparently,thereby improving customer trust and satisfaction. A standardized information model will also help to catalyze and undergird a thriving diverse ISV supply chain solution ecosystem-enabling modularity, extensibility, and a composable approach across vendors.

Open-Source Maintainers: Both hardware and software open-source maintainers will benefit from standardized supply chain information models, enabling them to make informed decisions about incorporating different software and hardware components into their projects.

End Users and Enterprises: Both individual end users and enterprises that rely heavily on technology for their operations will benefit significantly. They will receive timely and clear information about the products they use, helping them plan upgrades, replacements, or contingency plans in advance, thereby reducing vulnerabilities, disruptions, and potential security risks.

Technology Consultants and Service Providers: Consultants and service providers will be able to offer more accurate advice and support to their clients with access to standardized supply chain information.

Supply Chain Partners: The standardization would increase transparency and predictability in the supply chain, which can help reduce uncertainties and risks, leading to a more secure and resilient supply chain.

Government: Standardization can assist government agencies and regulatory bodies in overseeing the industry more effectively, ensuring that all players comply with the set guidelines, and promoting fair practices.
1.d. Scope

The OASIS Open Supplychain Information Modeling (OSIM) TC will:

– Research and survey existing supply chain activities and share with the TC membership. Whenever possible, OSIM TC will reference and reuse existing work.

– Develop and maintain value propositions and use cases for supply chain information modeling.

– Develop and maintain supply chain information model standards about all aspects of supply chains, ensuring their relevance and applicability to current industry needs.

– Develop and maintain conformance supply chain information model standards.

– Facilitate interoperability and compatibility across different platforms and industries.

– Promote the widespread adoption of these supply chain information model standards and ensure their broad application to hardware and software from both vendors and open-source maintainers.

– Provide technical expertise and guidance on the application and evolution of these supply chain information model standards.
1.e. Deliverables

The primary deliverables of the OASIS Open Supplychain Information Modeling (OSIM) TC will be:

– Value propositions and use cases: Specifications or Committee Notes to explain why the models are needed and how they will be used.

– Supply chain information model standards: One or more comprehensive specifications detailing the information models.

– Implementation Guide(s):One or more Committee Notes guiding stakeholders in implementing the information model(s).

– Open Source Software: One or more software repositories with software, tools, examples, FAQs, and other material supporting awareness and adoption of TC work products.
1.f. IPR Mode

The OASIS Open Supplychain Information Modeling (OSIM) TC will operate in the Non-Assertion Mode, as described in the OASIS IPR Policy.
1.g. Audience

The anticipated audience for this work includes, but is not limited, to:

– Software and hardware vendors
– Software and hardware open-source maintainers
– Technology consultants
– Business stakeholders reliant on technology products
– International, Federal, and local government organizations
– Regulatory bodies in the software and hardware industries
1.h. Language

The OASIS Open Supplychain Information Modeling (OSIM) TC will conduct its business in English.
Section 2: Additional Information
2.a. Identification of Similar Work

The following are all activities that are adjacent to the proposed work but different from the information modeling of the OASIS Open Supplychain Information Modeling (OSIM) TC.

Abstract Syntax Notation:
ASN.1  is an information modeling language that OSIM may utilize for specifying information models.

Asset Administration Shell (AAS) IEC 63278
AAS supports different information to share consistently across a supply chain during all lifecycle phases of a product or service.
It provides multiple submodels that can be uses as IM: https://industrialdigitaltwin.org/en/content-hub/submodels
OSIM should consider to use these established structures.

CISA SBOM
Much useful software supply chain information which will need to be reviewed for value propositions, use cases, and information to be modeled.
https://www.cisa.gov/sbom 

Common Security Advisory Framework (CSAF)
CSAF is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
OSIM may specify the underlying information model for CSAF. This model may be compared to the underlying information model for similar items (e.g., OpenVEX, CycloneDX, SPDX, …).

Computing Ecosystem Supply-Chain (CES)
CES defines blockchain data schemas and ontologies, APIs, and smart contracts that go beyond the current integration with existing suppliers and customers (1 up & 1 down) allowing N-to-N.
This is ongoing work to be monitored for opportunities for information modeling.

CycloneDX
CycloneDX specifies serializations for sharing SBOM and VEX information.
OSIM  may specify the underlying information model for CycloneDX. This model may be compared to the underlying information model for similar items (e.g., OpenVEX, CSAF, SPDX).

In-toto
In-toto is about software supply chain. 
This is ongoing work to be monitored for opportunities for information modeling.

ISO/IEC/IEEE 12207:2017
Systems and software engineering – Software life cycle processes.

JSON Abstract Data Modeling (JADN)
JADN is an information modeling language that OSIM may utilize for specifying information models.

NTIA Software Transparency
Much useful software supply chain information which will need to be reviewed for value propositions, use cases, and information to be modeled.
https://www.ntia.gov/page/software-bill-materials 

OpenEoX
OpenEoX is an initiative aimed at standardizing the way End-of-Life (EOL) and End-of-Support (EOS) information is exchanged within the software and hardware industries.
OSIM may specify the underlying information model for OpenEoX.

OpenVEX
OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.
OSIM may specify the underlying information model for OpenVEX.
This model may be compared to the underlying information model for similar items (e.g., CSAF, CycloneDX).

ProtoBom
ProtoBom is a protobuf representation of SPDX and CybcloneDx SBOMs. The work is funded by CISA.
OSIM may specify the underlying information model for protobom and compare to similar information models.

Sigstore
Sigstore is about open source supply chain.
This is ongoing work to be monitored for opportunities for information modeling.

SLSA
SLSA is about software supply chain.
This is ongoing work to be monitored for opportunities for information modeling.

Static Analysis Results Interchange Format (SARIF)
SARIF defines a standard format for the output of static analysis tools.
OSIM may specify the underlying information model for SARIF. 
This model may be compared with similar items, as well how SARIF ties in with other models (e.g. SBOM, VEX).

Supply Chain Integrity, Transparency and Trust (SCITT)
IETF initiative to “enable transparency across any supply chain with minimum adoption barriers”.

System Package Data Exchange (SPDX)
ISO/IEC 5962:2021SPDX is an implementation of SBOM (Software Bill of Materials) and VEX.
OSIM may specify the underlying information model for SPDX. This model may be compared to the underlying information model for similar items (e.g., CycloneDX, CSAF, OpenVEX).
ISO/IEC 5962:2021

OASIS Universal Business Language (UBL) ISO/IEC 19845
UBL focuses on all aspects of traditional supply chain and trade facilitation.
OSIM focus is on information modeling BOMs, particularly Software Bill of Materials (SBOMs) and related cybersecurity information such as VEX.
OSIM will investigate where UBL specs or concepts apply and utilize where possible. OSIM will inform UBL where OSIM models might be useful to UBL.

X.st-ssc Security threats of software supply chain
ITU SG17 Q4
This is ongoing work to be monitored for opportunities for information modeling.

X.sc-sscti Guidelines on Security Capabilities for Software Supply Chain in the Telecommunications Industry
ITU SG17 Q15
This is ongoing work to be monitored for opportunities for information modeling.
2.b. First TC Meeting

June 4, 2024 at 1pm ET
2.c. Ongoing Meeting Schedule

Monthly via TBD conferencing application
2.d. TC Proposers

Bret Jordan, bret.jordan.sdo@gmail.com
Dave Kemp, NSA, d.kemp@cyber.nsa.gov 
Duncan Sparrell, sFractal Consulting, duncan@sfractal.com (Convener)
Isaac Hepworth, Google, isaach@google.com
Jason Keirstead, Cyware, jason.keirstead@cyware.com
Justin Murphy, CISA, justin.murphy@cisa.dhs.gov 
Jay White, Microsoft, jaywhite@microsoft.com 
Mike Rosa, NSA, mjrosa@cyber.nsa.gov 
Omar Santos, Cisco, osantos@cisco.com
Vasileios Mavroeidis, University of Oslo, vasileim@ifi.uio.no 
Patrick Maroney, AT&T, x118r@att.com
2.e. Primary Representatives’ Support 

I, Duncan Sparrell, as OASIS primary representative for sFractal Consulting, confirm our support for the OSIM and our participants listed above.

I, Ed Parsons, as OASIS primary representative for Google, confirm our support for the OSIM  and our participants listed above.

I, Jason Keirstead, as OASIS primary representative for Cyware, confirm our support for the OSIM and our participants listed above.

I, Jay White, as OASIS primary representative for Microsoft, confirm our support for the OSIM  and our participants listed above.

I, Narendra Vad, as OASIS primary representative for Cisco Systems confirm our support for the OSIM and our participants listed above.

I, Vasileios Mavroeidis, as OASIS primary representative for the University of Oslo, confirm our support for the OSIM and our participants listed above.

I, Patrick Maroney, as OASIS primary representative for AT&T, confirm our support for the OSIM and our participants listed above.
2.f. TC Convener

Duncan Sparrell, sFractal Consulting, duncan@sfractal.com (Convener)
2.g.  Anticipated Contributions

https://supplychaininformationmodeling.github.io 
a GitHub pages site for public Awareness & Adoption for OSIM

supplychaininformationmodeling.org
A domain name for this effort (not activated until work starts)

https://github.com/oasis-open/openc2-jadn-software/tree/master/Schemas/CycloneDX
Information Model in JADN of CycloneDX

https://github.com/oasis-open/openc2-jadn-software/tree/master/Schemas/Spdx
Information Model in JADN of SPDX

All of the material in section (2)(a)

No results with the selected filters