Open Supplychain Information Modeling TC

 View Only
Back to discussions
Expand all | Collapse all

Call for Participation: OASIS Open Supplychain Information Modeling (OSIM) TC

  • 1.  Call for Participation: OASIS Open Supplychain Information Modeling (OSIM) TC

    Posted 17 days ago

    OASIS Members & Interested Parties:


    A new OASIS technical committee is being formed. The OASIS Open Supplychain Information Modeling (OSIM) TC has been proposed by the sFractal, AT&T, Cisco, Google, Microsoft, the US DHS-CISA and NSA, and others listed in the charter. The goal is to bring clarity to software supply chain partners, reduce vulnerabilities, disruptions, and security risks, and make it easier for companies to plan for upgrades and contingencies.


    The official charter is included in this email. The public TC homepage is here


    All interested parties are welcome to join this TC. To participate: 

    • You must be an employee or designee of an OASIS TC member organization or an individual member of OASIS, and

    • You must submit a request to join the OSIM TC using this form. Your request must be approved by your employer's Primary Representative. OASIS Staff will work with you to obtain that approval.


    To be considered a voting member at the first meeting:

    • You must join the TC by May 28, 2024  and

    • You must attend the first meeting of the TC, on June 4, 2024 at 1pm ET. Note: no work, including technical discussions or contributions, may occur prior to the first TC meeting. 


    You also may join the TC at a later time. 


    If your employer is already on the OASIS TC member roster, you may participate in OASIS Open Supplychain Information Modeling (OSIM) TC (or any of our TCs) at no additional cost. 


    If your employer is not a member, we're happy to help you join OASIS. Contact us to discuss your options for TC membership.


    Please feel free to forward this announcement to any other interested parties or appropriate lists. We encourage and welcome your participation.


    ----------

    CALL FOR PARTICIPATION

    OASIS Open Supplychain Information Modeling (OSIM) TC


    The charter for this TC is as follows


    Section 1: TC Charter

    1.a. TC Name


    OASIS Open Supplychain Information Modeling (OSIM) TC

    1.b. Statement of Purpose


    The OASIS Open Supplychain Information Modeling (OSIM) TC aims to standardize and promote information models about all aspects of supply chains.


    An Information Model (IM) defines the essential content of messages used in computing, independently of how those messages are represented (i.e., serialized) for communication or storage. Information models are a means to understand and document the essential

    information content relevant to a system, application, or protocol exchange without regard to how that information is represented in actual implementations. Having a clear view of the information required provides clarity regarding the goals that the eventual implementation must satisfy.




    1.c. Business Benefits 


    The establishment of information models and associated explanatory materials will benefit a wide array of stakeholders across the software and hardware industries. The key beneficiaries of this work can be broadly categorized into the following groups:


    Software and Hardware Vendors: Standardized information models will provide clarity across

    supply chains reducing the confusion and inefficiencies that result from the various diverse implementations of data exchanges across participants in supply chains. It will help vendors plan their product updates, support, and discontinuation more effectively and transparently,

    thereby improving customer trust and satisfaction. A standardized information model will also help to catalyze and undergird a thriving diverse ISV supply chain solution ecosystem-enabling modularity, extensibility, and a composable approach across vendors.


    Open-Source Maintainers: Both hardware and software open-source maintainers will benefit from standardized supply chain information models, enabling them to make informed decisions about incorporating different software and hardware components into their projects.


    End Users and Enterprises: Both individual end users and enterprises that rely heavily on technology for their operations will benefit significantly. They will receive timely and clear information about the products they use, helping them plan upgrades, replacements, or contingency plans in advance, thereby reducing vulnerabilities, disruptions, and potential security risks.


    Technology Consultants and Service Providers: Consultants and service providers will be able to offer more accurate advice and support to their clients with access to standardized supply chain information.


    Supply Chain Partners: The standardization would increase transparency and predictability in the supply chain, which can help reduce uncertainties and risks, leading to a more secure and resilient supply chain.


    Government: Standardization can assist government agencies and regulatory bodies in overseeing the industry more effectively, ensuring that all players comply with the set guidelines, and promoting fair practices.


    1.d. Scope


    The OASIS Open Supplychain Information Modeling (OSIM) TC will:

    • Research and survey existing supply chain activities and share with the TC membership. Whenever possible, SCIM TC will reference and reuse existing work.

    • Develop and maintain value propositions and use cases for supply chain information modeling.

    • Develop and maintain supply chain information model standards about all aspects of supply chains, ensuring their relevance and applicability to current industry needs.

    • Develop and maintain conformance supply chain information model standards

    • Facilitate interoperability and compatibility across different platforms and industries.

    • Promote the widespread adoption of these supply chain information model standards and ensure their broad application to hardware and software from both vendors and open-source maintainers.

    • Provide technical expertise and guidance on the application and evolution of these supply chain information model standards.


    1.e. Deliverables


    The primary deliverables of the OASIS Open Supplychain Information Modeling (OSIM) TC will be:

    • Value propositions and use cases:

      • Specifications or Committee Notes to explain why the models are needed and how they will be used

    • Supply chain information model standards:

      • One or more comprehensive specifications detailing the information models.

    • Implementation Guide(s):

      • One or more Committee Notes guiding stakeholders in implementing the information model(s).

    • Open Source Software:

      • One or more software repositories with software, tools, examples, FAQs, and other material supporting awareness and adoption of TC work products


    1.f. IPR Mode


    The OASIS Open Supplychain Information Modeling (OSIM) TC will operate in the Non-Assertion Mode, as described in the OASIS IPR Policy.


    1.g. Audience


    The anticipated audience for this work includes, but is not limited, to:

    • Software and hardware vendors

    • Software and hardware open-source maintainers

    • Technology consultants

    • Business stakeholders reliant on technology products

    • International, Federal, and local government organizations

    • Regulatory bodies in the software and hardware industries


    1.h. Language


    The OASIS Open Supplychain Information Modeling (OSIM) TC will conduct its business in English.

    Section 2: Additional Information

    2.a. Identification of Similar Work


    The following are all activities that are adjacent to the proposed work but different from the information modeling of the OASIS Open Supplychain Information Modeling (OSIM) TC.


    • Abstract Syntax Notation

      • ASN.1  is an information modeling language that OSIM may utilize for specifying information models.



    • CISA SBOM

      • Much useful software supply chain information which will need to be reviewed for value propositions, use cases, and information to be modeled

      •  https://www.cisa.gov/sbom 


    • Common Security Advisory Framework (CSAF)

      • CSAF is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.

      • OSIM may specify the underlying information model for CSAF. This model may be compared to the underlying information model for similar items (e.g., OpenVEX, CycloneDX, SPDX, ...).


    • Computing Ecosystem Supply-Chain (CES)

      • CES defines blockchain data schemas and ontologies, APIs, and smart contracts that go beyond the current integration with existing suppliers and customers (1 up & 1 down) allowing N-to-N 

      • This is ongoing work to be monitored for opportunities for information modeling


    • CycloneDX

      • CycloneDX specifies serializations for sharing SBOM and VEX information

      • OSIM  may specify the underlying information model for CycloneDX. This model may be compared to the underlying information model for similar items (e.g., OpenVEX, CSAF, SPDX).


    • In-toto

      • In-toto is about software supply chain 

      • This is ongoing work to be monitored for opportunities for information modeling


    • ISO/IEC/IEEE 12207:2017

      • Systems and software engineering - Software life cycle processes




    • OpenEoX

      • OpenEoX is an initiative aimed at standardizing the way End-of-Life (EOL) and End-of-Support (EOS) information is exchanged within the software and hardware industries.

      • OSIM may specify the underlying information model for OpenEoX.


    • OpenVEX

      • OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.

      • OSIM may specify the underlying information model for OpenVEX. 

      • This model may be compared to the underlying information model for similar items (e.g., CSAF, CycloneDX).

    • ProtoBom

      • ProtoBom is a protobuf representation of SPDX and CybcloneDx SBOMs. The work is funded by CISA

      • OSIM may specify the underlying information model for protobom and compare to similar information models


    • Sigstore

      • Sigstore is about open source supply chain 

      • This is ongoing work to be monitored for opportunities for information modeling


    • SLSA

      • SLSA is about software supply chain 

      • This is ongoing work to be monitored for opportunities for information modeling


    • Static Analysis Results Interchange Format (SARIF)

      • SARIF defines a standard format for the output of static analysis tools

      • OSIM may specify the underlying information model for SARIF. 

      • This model may be compared with similar items, as well how SARIF ties in with other models (e.g. SBOM, VEX)



    • System Package Data Exchange (SPDX) ISO/IEC 5962:2021

      • SPDX is an implementation of SBOM (Software Bill of Materials) and VEX.

      • OSIM may specify the underlying information model for SPDX. This model may be compared to the underlying information model for similar items (e.g., CycloneDX, CSAF, OpenVEX).

      • ISO/IEC 5962:2021


    • OASIS Universal Business Language (UBL) ISO/IEC 19845

      • UBL focuses on all aspects of traditional supply chain and trade facilitation.

      • SCIM focus is on information modeling BOMs, particularly Software Bill of Materials (SBOMs) and related cybersecurity information such as VEX.

      • SCIM will investigate where UBL specs or concepts apply and utilize where possible.

      • SCIM will inform UBL where SCIM models might be useful to UBL




    2.b. First TC Meeting


    June 4, 2024 at 1pm ET

    2.c. Ongoing Meeting Schedule


    Monthly via TBD conferencing application

    2.d. TC Proposers




    2.e. Primary Representatives' Support 


    I, Duncan Sparrell, as OASIS primary representative for sFractal Consulting, confirm our support for the OSIM and our participants listed above.


    I, Ed Parsons, as OASIS primary representative for Google, confirm our support for the OSIM  and our participants listed above.


    I, Jason Keirstead, as OASIS primary representative for Cyware, confirm our support for the OSIM and our participants listed above.


    I, Jay White, as OASIS primary representative for Microsoft, confirm our support for the OSIM  and our participants listed above.


    I, Narendra Vad, as OASIS primary representative for Cisco Systems confirm our support for the OSIM and our participants listed above.


    I, Vasileios Mavroeidis, as OASIS primary representative for the University of Oslo, confirm our support for the OSIM and our participants listed above.


    I, Patrick Maroney, as OASIS primary representative for AT&T, confirm our support for the OSIM  and our participants listed above.


    2.f. TC Convener


    2.g.  Anticipated Contributions



    All of the material in section (2)(a)





    --

    Kelly Cullinane

    Senior Director for Standards Development

    OASIS Open

    		 
    		kelly.cullinane@oasis-open.org
    		www.oasis-open.org




Related Content