[UPDATE 10/31/2022] The SCITT Use Cases have been officially published in preparation for the IETF meeting in London.
On July 28, 2022 the Internet Engineering Task Force (IETF) took the first step in committing to create standards that will give consumers visibility into software trustworthiness. The new initiative is called Supply Chain Integrity, Transparency and Trust (SCITT) and its work begins on August 1, 2022. The problem statement, which the initiative is being setup to address, reads as follows:
Software is an inherent part of everyday digitally-enabled life, from smartphones to IoT to datacenters. Widely discussed attacks on the software supply chain have helped raise awareness of the risks.
Many other vulnerabilities highlight the need for greater visibility into supply chain integrity, transparency, and trust to make an informed decision.
Use Case:
Software Supply Chain focusing on SBOM as evidence to a claim
The proposed charter that will define the scope of work for this IETF initiative is still undergoing some minor changes, but this should be completed shortly. The meeting scheduled for 8/1/2022 should give the group an opportunity to reach a consensus on the SCITT Charter.
There are several reasons why this IETF SCITT initiative is an imperative now, but perhaps the most compelling driver was provided by the May 12, 2021 Cybersecurity Executive Order # 14028, which states:
the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the FTC and representatives from other agencies as the Director of NIST deems appropriate, shall identify secure software development practices or criteria for a consumer software labeling program, and shall consider whether such a consumer software labeling program may be operated in conjunction with or modeled after any similar existing government programs, consistent with applicable law. The criteria shall reflect a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone. The Director of NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation
On February 4, 2022 NIST published guidance and recommendations to implement a labeling program for consumer software in order to meet the Executive Order requirements for consumer software labeling. At the time of this writing, I am not aware of any government initiatives to foster the development of a consumer labeling program for commercial or open-source software products. Recently, meetings have been hosted at the White House to discuss the need for greater visibility into open-source software, but I’m not aware of any government initiatives to address the need for greater visibility into the trustworthiness of commercial consumer software products. The opportunity exists now to create a “trust” labeling program for consumers to provide visibility into the trustworthiness of applications sold and installed from the many app stores in operation today from Companies such as Apple, Google, Microsoft, Amazon and others. Collectively, these app stores represent the largest software distribution channel on the planet for consumer software used on smart devices, i.e., smart phones, tablets, game consoles and other devices which are able to download and install software from an Internet location. There is no doubt that consumers want visibility into a software application’s trust worthiness before buying and installing an app, but there’s a big problem today; There is no widely adopted standard method to communicate the trustworthiness of apps across all app stores that a consumer could use to compare the trustworthiness of an app, before installing in a device.
The IETF SCITT initiative could, potentially, provide the forum to reach broad adoption of technical standards that will provide software consumers the visibility they need to determine the trustworthiness of commercial and open-source software before buying and installing an application, in alignment with NIST recommendations, guidelines and criteria for software trustworthiness and consumer software labeling.
I encourage parties interested in this very important work to engage in the IETF SCITT initiative by signing-up to receive SCITT communications on this site: https://www.ietf.org/mailman/listinfo/scitt
I’m looking forward to seeing your contributions on the IETF SCITT mailing list and in working collaboratively on a solution for consumer visibility into software trust.
Never trust software, always verify and report!™