Introducing OASIS Open Supply Chain Information Modeling

By Duncan Sparrell, sFractal Consulting

Cybersecurity threats have evolved significantly over the years, with cyber attackers constantly finding new ways to exploit vulnerabilities in software systems. From worms and viruses to the more recent ransomware attacks, the cost of cybercrime continues to rise. Not only are financial losses mounting, but the potential impact on critical infrastructure such as healthcare systems is also a cause for concern. Recent breaches like Log4Shell, SolarWinds, and XZ underscore the vulnerabilities within our software supply chains. These incidents highlight the critical need for understanding software supply chains, their vulnerabilities, and ways to prevent, detect, mitigate, and recover from attacks. To do this requires understanding the supply chain, which is hard in today’s environment.

The OASIS Open Supply Chain Information Modeling (OSIM) Technical Committee aims to standardize and promote information models for supply chains.

The Role of OSIM

OSIM members will work to standardize the representation of information related to supply chains. Unlike data models, information models operate at a higher level of abstraction. They offer a holistic view of the supply chain ecosystem, facilitating a better understanding of the existing data formats, where similarities exist, where gaps exist, and how to utilize the inherent information in them.

Exploring Information Models

While data modeling focuses on implementing data structures, information modeling provides an abstract model that precedes knowledge modeling. Despite the current emphasis on data modeling, there’s a notable lack of attention given to information modeling, particularly in sectors such as supply chain software and cybersecurity. To address this gap, exploring specific use cases and adopting tools like JSON Abstract Data Notation (JADN), an OASIS specification for information modeling, is essential.

Using Software Bill of Materials (SBOM) as an example, the acute need for SBOMs has spurred significant work in recent years, highlighting the value of SBOMs and driving the implementation of several different SBOM data formats (e.g. SPDX and CycloneDX). And those formats can portray data other than SBOM (e.g. vulnerability exploitability, licensing). So what makes an SBOM an SBOM? That is a question OSIM can answer with an SBOM information model. Besides being used to compare the features of the various data formats, the resulting information model can then be used as input to knowledge model graphs for defining the semantics/knowledge/meaning.

Another example is Vulnerability Exploitability eXchange (VEX) which is even newer and also has multiple evolving data formats (CSAF, CycloneDX, OpenVex, SPDX). What makes a VEX a VEX? And what elements are in common with SBOM or have relationships with elements in an SBOM? This question becomes even more important as SBOM and VEX begin to appear in regulations and contractual procurement documents.

Standardizing Supply Chain Information Models

The U.S. government, through agencies like the National Telecommunications and Information Administration (NTIA) and Cybersecurity and Infrastructure Security Agency (CISA), is recognizing the need for transparency and accountability in software procurement. They are requiring vendors to disclose what’s in their software through SBOMs to aid in identifying vulnerabilities.

However, the existence of various competing data models (SPDX, CycloneDX, CSAF, OpenVex) highlights the necessity for creating information models. By establishing a standard framework that sits atop existing data models, it defines the essence of “what is an SBOM?”, “what is a VEX” and it becomes easier to identify commonalities and differences across diverse specifications. Such a model could streamline interoperability and facilitate software conversion processes. While challenges persist, efforts to standardize supply chain information modeling aim to bring clarity and coherence to the complex landscape of software supply chains.

The goal of OSIM isn’t to create yet another competing standard but to provide a unifying framework. By standardizing OSIM, we can bridge the gap between existing data models emphasizing interoperability and collaboration among multiple standards.

Collaboration is Key

OSIM is paving the way for a safer and more resilient digital future with a secure software supply chain ecosystem. Achieving creation and widespread adoption of OSIM of supply chain information models will require collaboration among stakeholders across industries. Whether you’re a customer, a vendor, or a solution provider, your involvement is crucial.

To help shape the future of supply chain security and participate from the start, we encourage you to join the OSIM TC in time to attend our inaugural member meeting on 4 June 2024 at 1pm ET. View the project’s final charter and the call for participation. Contact for more information.

About the Author
Duncan Sparrell’s mission is to make the world a safer place. He has more than 45 years of expertise in conceiving, developing, and delivering state-of-the art software platforms. He has been involved in cybersecurity since 1990 and retired as AT&T’s Chief Security Architect. Currently, Duncan is semi-retired but serving on various boards, including OASIS Open, and focuses his experience on boutique consulting at the intersection of cybersecurity, standards, and software at sFractal Consulting. He was awarded the US Intelligence Community Seal Medallion in 1994 and the AT&T Science and Technology Medal in 2010. In 2021, Duncan was named an OASIS Distinguished Contributor for his significant impact advancing open standards and open source projects and was recently featured in an OASIS Board Member Spotlight profile interview. Duncan’s tagline is “Think evilly, act ethically.”