IETF Supply Chain Integrity, Transparency and Trust (SCITT) meeting video available
I’m pleased to report that the IETF has agreed to establish a work group to focus on the development of standards to provide software consumers with greater visibility into software trustworthiness before purchasing and installing software. The newly formed work group, called Supply Chain Integrity, Transparency and Trust (SCITT) begins its work on 8/1. SBOM attestation is the first use case being worked on by the SCITT team (which is why I’ve cc’s SPDX and CycloneDX contacts).
I see this IETF work as a means to achieve the EO 14028 and NIST’s goals for consumer software labeling to help consumers determine the trustworthiness of software apps found in the various app stores, which are collectively the largest distribution channel for commercial software on the planet and other distribution hubs, such as GitHub, etc. The NIST recommendation for consumer labeling states this need most clearly:
The software cybersecurity labeling provisions in the May 12, 2021, Executive Order on Improving the Nation’s Cybersecurity (14028) aim to aid consumers in their software selection decisions by enabling comparisons among products and educating them about software security considerations. This transparency may also encourage providers to consider cybersecurity aspects of their software and ways to achieve greater consumer trust and confidence in the software, and ultimately, to improve the management of related cybersecurity risks.
REA is committed to working on this IETF work group and will provide update reports on progress within SCITT to the ICT_SCRM Task Force. REA’s focus of this work in the SCITT work group will be to advance methods to achieve consumer visibility into software trustworthiness following the labeling requirements of EO 14028 and NIST’s recommendations for software consumer labeling, by advocating for a “trust score” to be displayed on all software apps across all app stores used by consumers today; https://doi.org/10.6028/NIST.CSWP.02042022-1
Here is a video of the IETF SCITT meeting (a little under two hours in length):
I’ve cc’d several parties from the C-SCRM community that may wish to participate in this very important initiative to help consumers avoid software risk by identifying the trustworthiness of software.
Fellow C-SCRM community members, please consider joining me in this IETF SCITT work group initiative.
Have a nice weekend.
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Tel: +1 978-696-1788