Supply chain risk continues to make headlines, from Solarwinds and Kaseya to last week’s announcement of a patch for the OpenSSL vulnerability, and the latest cybersecurity review from the U.K.’s National Cyber Security Centre highlights the serious threats posed by supply chain attacks.
This week the Internet Engineering Task Force (IETF), the internet standards body, meets in London and includes a session for the recently formed Supply Chain Integrity Transparency and Trust (SCITT) Working Group. Working Groups are the primary mechanism for development of IETF specifications and guidelines, many of which are intended to be standards or recommendations.
So what are the aims of this Working Group, why is it important and why now?
Concerns about the security of supply chains, including those for physical goods, services, and digital products, have been around for a long time. The SCITT Working Group aims to improve supply chain security by making the actions of entities in that supply chain transparent and thereby accountable.
Right now it is challenging to manage the ongoing compliance of products and services against requirements across global end-to-end supply/value chains, the root causes being; insufficient standards for tamper-proof and independently verifiable data stores; lack of legally meaningful and persistent supply/value chain data; and absence of decentralized globally interoperable transparency services and trusted service discovery.
A minimal, simple, and concise set of building blocks could guarantee long term accountability and interoperability for software components and their metadata through their life-cycles and across architecturally diverse systems.
Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021, and calls on security and risk management leaders to prioritize digital supply chain risk and put pressure on suppliers to demonstrate security best practices. The US President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, charges multiple federal agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
SCITT started as a ‘birds of a feather’ in March 2022, and recently became a fully-fledged Working Group, underlining the importance of supply chain integrity, transparency and trust in today’s digital-first economy. The IETF SCITT Working Group is meeting on Thursday, 10 November, and RKVST Chief Product Officer, Jon Geater, is its newly appointed co-chair. You’re welcome to join the session either in-person or remotely (registration required). We’ll also be posting regular updates on the progress and output from this Working Group.
If you’re interested in a general introduction to SCITT, have a read of Jon’s previous blog What is SCITT and how does RKVST help?
The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. The technical work of the IETF is done in Working Groups, which are organized by topic into several Areas. Much of the work is handled via mailing lists. The IETF holds meetings three times per year.