Proactive Software Supply Chain Risk Management Framework (P-SSCRM)

The Problem

Digital innovation is accelerating as software is increasingly built with layers of reusable abstractions, including libraries, frameworks, cloud infrastructure, and artificial intelligence (AI) modules. Together, these form a ‘software supply chain.’ A series of attacks on open source software packages, e.g. log4j and XZ Utils, and build infrastructure, e.g. SolarWinds, has heightened attention on the need to secure the software supply chain.

The Approach

The Proactive Software Supply Chain Risk Management Framework (P-SSCRM) is designed to help you understand and plan a secure software supply chain risk management initiative. P-SSCRM was created through a process of understanding and analyzing real world data from nine industry leading software supply chain risk management initiatives as well as through the analysis and unification of ten government and industry documents, frameworks, and standards. Although individual methodologies and standards differ, many initiatives and standards share common ground. P-SSCRM describes this common ground and presents a model for understanding, quantifying, and developing a secure software supply chain risk management program and determining where your organization’s existing efforts stand when contrasted with other real world software supply chain risk management initiatives.

Examples

We have begun conducting P-SSCRM assessments at a series of organizations. The first example chart here represents an organization’s posture with respect to the 23 P-SSCRM practices and its posture relative to the population of organizations in our dataset.

Radar chart showing P-SSCRM data for an organization

The second example chart represents an organization’s posture with respect to the SSDF requirements and to the population’s posture to the SSDF requirements.

Radar chart showing SSDF data for an organization

Please contact us (see below) if you would like to see what these charts would look like for your software supply chain by participating in a P-SSCRM assessment..

Further Information

This paper describes the full set of P-SSCRM practices and tasks and gives context for the framework’s development and use.

We are currently working on tooling to allow organizations to self-assess and on infrastructure to support a larger population of self- and formal assessments. Watch this space for further information.

Contact Us

Please reach out to us if you have questions or seek assistance with evaluating your software supply chain.

Dr. Laurie Williams, lawilli3@ncsu.edu

Dr. Patrick Morrison, pjmorris@ncsu.edu