Avatar

Supply chain security has emerged as a critical concern for businesses in every sector. The importance of standardized, trustworthy, and interoperable information models cannot be overstated. Addressing this need, the OASIS Open Supply Chain Information Modeling (OSIM) Technical Committee (TC) is being formed to enhance supply chain management worldwide. The initial TC members include AT&T, Cisco, Google, Microsoft, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others listed in the charter.

Mission and Objectives of OSIM TC

The OSIM TC has a multifaceted mission aimed at enhancing the efficiency and security of supply chains through precise and flexible information modeling, as illustrated below:

The OSIM TC is committed to researching existing supply chain activities and sharing findings with its members. The goal is to identify, reference, and, wherever possible, reuse existing work to avoid reinventing the wheel. The OSIM TC will focus on articulating clear value propositions and developing comprehensive use cases for supply chain information modeling, ensuring the relevance of models to real-world applications.

The committee will develop and maintain standards for supply chain information models, covering all aspects of supply chains. These standards are designed to be both relevant and applicable to current and future industry needs. By developing standards that promote conformance and interoperability, OSIM TC aims to create seamless integration across different platforms and industries, enabling a more interconnected and efficient supply chain ecosystem.

A significant part of OSIM TC’s work will involve promoting the widespread adoption of these standards. The goal is to ensure broad application across hardware and software vendors and open-source communities. The OSIM TC will provide ongoing technical expertise and guidance to stakeholders on the application and evolution of these information model standards, ensuring they remain at the cutting edge of technology and industry requirements.

Related Standards and Work

The following table summarizes the adjacent activities to the work of the OSIM TC.

Activity Description Comparison and Consideration for OSIM
Asset Administration Shell (AAS) Supports consistent information sharing across a supply chain. Provides multiple sub-models for information modeling. Consider using established structures from AAS.
Software Bill of Materials (SBOMs) A nested inventory, a list of ingredients that make up software components. Provides software supply chain information for review and modeling. Review for value propositions and use cases.
Common Security Advisory Framework (CSAF) A standard that provides a structured way to publish and share security advisories and Vulnerability eXploitability Exchange (VEX) information. May specify the underlying information model and standard, as well as compare it with other models.
OASIS Computing Ecosystem Supply-Chain (CES) Defines blockchain data schemas, APIs, and smart contracts for supply chains. Monitor for opportunities in information modeling.
CycloneDX Specifies serializations for sharing SBOM and VEX information. Specify and compare its underlying information model with other models.
In-toto A framework to protect supply chain integrity. Monitor for opportunities in information modeling.
ISO/IEC/IEEE 12207:2017 Software life cycle processes. Monitor for opportunities in information modeling.
JSON Abstract Data Modeling (JADN) Information modeling language that may be used by OSIM. Information modeling language that may be used by OSIM.
OpenEoX Standardizes the exchange of EOL and EOS information in the industry. May specify the underlying information model.
OpenVEX A lightweight implementation of VEX. Specify and compare its underlying information model with other models.
ProtoBom Protobuf representation of SPDX and CycloneDx SBOMs, funded by CISA. Specify and compare its underlying information model with other models.
Sigstore Focuses on open source supply chain security. Monitor for opportunities in information modeling.
SLSA A set of incrementally adoptable security guidelines aimed at enhancing the security of software supply chains. Monitor for opportunities in information modeling.
Static Analysis Results Interchange Format (SARIF) Defines a standard format for static analysis tool outputs. May specify and compare its underlying information model with others.
Supply Chain Integrity, Transparency and Trust (SCITT) IETF initiative for supply chain transparency. Monitor for opportunities in information modeling.
System Package Data Exchange (SPDX) Implements SBOMs, standardized as ISO/IEC 5962:2021. Specify and compare its underlying information model with other models.
OASIS Universal Business Language (UBL) Focuses on traditional supply chain and trade facilitation. It supports the digitization of the commercial and logistical processes for domestic and international supply chains such as procurement, purchasing, transport, logistics, intermodal freight management, and other supply chain management functions. Investigate and utilize relevant UBL specs or concepts.

I am honored to be the chair of the Common Security Advisory Framework (CSAF) and the founder and co-chair of OpenEoX.  I am looking forward to seeing how the OSIM TC will provide practical advice to help integrate these standards with others into their operations.

Key Deliverables of OSIM TC

The work of OSIM TC is geared towards producing tangible and actionable deliverables, including:

  • Value Propositions and Use Cases: Used to explain the information models, why they are essential, and how they can be leveraged in different supply chain scenarios.
  • Supply Chain Information Model Standards: OSIM TC will release one or more comprehensive specifications that detail the information models.
  • Implementation Guides: OSIM TC will provide guides that offer practical advice to help integrate these standards into their operations.
  • Open-Source Tools and Repositories: The OSIM TC will create tools, reference implementations, FAQs, and other resources to support the awareness and adoption of the TC’s work products.

OSIM is a great advancement towards a more secure and resilient supply chain ecosystem. This effort underscores the critical role of standardization and demonstrating how cohesive guidelines can significantly enhance the integrity and security of infrastructures globally.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations