Introduction
The Proactive Software Supply Chain Risk Management Framework (P-SSCRM) described here is designed to help you understand and plan a secure software supply chain risk management initiative. P-SSCRM was created through a process of understanding and analyzing real world data from nine industry leading software supply chain risk management initiatives as well as through the analysis and unification of ten government and industry documents, frameworks, and standards. Although individual methodologies and standards differ, many initiatives and standards share common ground. P-SSCRM describes this common ground and presents a model for understanding, quantifying, and developing a secure software supply chain risk management program and determining where your organization’s existing efforts stand when contrasted with other real world software supply chain risk management initiatives.
The table below shows the structure of the P-SSCRM
Framework. It includes four broad groups of Governance, Product, Environment, and Deployment.
Our practice and control descriptions, provide a common vocabulary for
explaining the salient elements of an Software Supply Chain Risk Management Initiative (SSCRM-I). Within the four P-SSCRM groups are 15 practices
(e.g., Perform compliance). The current version of the P-SSCRM is composed of 75 software supply chain risk management controls that are organized into these 15 practices.
| Governance | Product | Environment | Deployment |
|---|---|---|---|
| The Governance Group contains five practices made up of controls that focus on the organization and measurement of a secure software supply chain and on policies for decision making, accountability to third-party organizations, and on remaining compliant with legal and regulatory requirements. | The Product Group contains five practices made up of controls to lead to the deployment of a secure product with minimal vulnerabilities with associated required attestations and artifacts. | The Environment Group contains three practices made up of controls to protect the confidentiality and integrity of source code, software components, and the build infrastructure from tampering and unauthorized access. | The Deployment Group contains two practices made up of controls for identifying, analyzing, and addressing vulnerabilities in products. |
|
G.1 Perform compliance
G.2 Develop security policies G.3 Manage suppliers G.4 Training G.5 Assess and manage risk |
P.1 Develop security requirements
P.2 Build security in P.3 Manage component and container choices P.4 Discover vulnerabilities P.5 Manage vulnerable components and containers |
E.1 Safeguard artifact integrity
E.2 Safeguard build integrity E.3 Secure software development environment |
D.1 Respond to/disclose vulnerabilities
D.2 Monitor intrusions/violations |
The P-SSCRM Framework is the result of a study of real-world software supply chain risk management initiatives and the union of the
controls in ten government and industry documents (standards and frameworks). Controls in the P-SSCRM
are mapped to one or more of these standards and frameworks. We present the model as built
directly from these controls and from data observed in real-world software supply chain risk
management initiatives from a diverse and global collection of firms through data collected in 2022
and 2023. We have conducted interviews based on P-SSCRM at nine software development organizations, as described in [Williams, Miguez], which found that the organizations had implemented common security controls and were in the process of adopting controls to guard against the novel attack vectors introduced by software supply chain attacks.
The frameworks used in the foundation and mapping of P-SSCRM controls, with links to the mapping
references, are:
- NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (800-161r1) - only the subset of controls specifically identified in this document as mapping back to the Executive Order (mapping)
- Building Security In Maturity Model Version 15 (BSIMM) (mapping)
- Cloud Native Computing Foundation – Software Supply Chain Best Practices (CNCF) (mapping)
- Executive Order 14028 (EO) (mapping)
- OpenSSF Scorecard metrics (mapping)
- Open Web Application Security Project Software Component Verification Standard Version 1.0 (OWASP-SCVS) (mapping)
- Supply-chain Levels for Software Artifacts v1.2 (SLSA) (mapping)
- NIST Secure Software Development Framework version 1.1 (SSDF) (mapping)
- NIST Secure Software Development Practices for Gen AI version 1.1 (SSDF-AI) (mapping)
- DHS/CISA Secure Software Self-Attestation Common Form (mapping)
Other Software Supply Chain frameworks not mapped into P-SSCRM:
- S2C2F, which is now deprecated and folded into SLSA v1.2, had two controls in P-SSCRM v1.01 that are now Unassigned controls. The control numbers from P-SSCRM v1.01 remain intact for these currently unassigned controls.
- The 'Closing the Chain' research study, which identified controls needed to mitigate MITRE ATT&CK techniques but that were found in the ten contributing frameworks. The newly identified controls are listed in Unassigned controls.