]> The Graduate University for Advanced　Studies (SOKENDAI)

Japan n_aoki@ieee.org

Security SCITT Internet-Draft This document includes a collection of representative Computational Supply Chain Use Cases. These use cases aim to identify computational supply chain problems that the industry faces today and act as a guideline for developing a comprehensive security architecture and solutions for these scenarios. About This Document Status information for this document may be found at . Discussion of this document takes place on the SCITT Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Supply chain for components that make up a computer system consists of the entire lifecycle, including hardware selection, system design, development, build, integration, deployment, and maintenance. In the software supply chain, SBOM and SCITT architecture are exemplary initiatives that enhance software transparency. Discussions focusing on hardware and its interfaces are also beginning. These supply chain security measures are expected to reduce the complexity of software and provide visibility into its lifecycle, thereby reducing the number of cyber threats that can cause harmful effects such as risks related to the system's attack surface, data leaks, business disruptions, damage to reputation, intellectual property, and financial assets. On the other hand, thorough supply chain security for computer systems can only be achieved by integrating support from hardware to the software stack, enabling effective risk assessment and mitigation. Modern computer systems are influenced by evolving computer architectures and increasingly complex software stacks, making the integrated management of components not always straightforward. End users, such as consumers, need to be able to evaluate whether suppliers maintain appropriate security practices without requiring access to proprietary intellectual property, necessitating an evolutionary extension of the SCITT specification. Post-SCITT compliant products support compliance management with legal, regulatory, and technical requirements (often differing but overlapping and interrelated), risk assessment, and detection of supply chain attacks throughout the entire lifecycle, prioritizing data privacy.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Generic Problem Statement Supply chain security is a crucial requirement for ensuring the stable supply of materials that directly impact consumer survival and those widely used by the majority of consumers, while minimizing threats related to the economy, public health, and safety. As an extension of discussions in the physical domain, the definition of software supply chain security in the cyber domain, , has been established. This is due to the numerous supply chain attacks targeting vulnerabilities in the software supply chain that have been experienced globally, as well as the academic progress in analyzing these attack vectors. This analysis can also be applied to the supply chains of computer systems, which include both hardware and software. Supply chain attacks on computer systems typically involve attackers gaining initial access, making malicious changes upstream in the supply chain, and exploiting vulnerabilities in the downstream systems that are already in operation. The SCITT Architecture defines the core objects, identifiers and workflows necessary to interact with a SCITT Transparency Service:

• Signed Statements
• Receipts
• Transparent Statements
• Registration Policies

The extended YANG data model with transparency schemers defines schemers for mapping SBOMs and vulnerability information.

• Access Control Lists
• SBOM Information
• Vulnerability Information

As described above, specifications for software supply chain security are maturing; however, it remains unclear whether existing standard specifications can be followed while also encompassing a scope that extends beyond software.

Computational Supply Chain Use Cases

Multi-Software Stack and Computer Architecture Software integration is an essential task in building computer systems. The ecosystemization of software development is advancing, a process that involves procuring various software components from multiple suppliers at different layers and creating packages of varying sizes. These include a considerable number of third-party components. Furthermore, depending on the design, there may be cases where components are not strictly separated from one another. Additionally, modern computer systems adopt a variety of architectures and infrastructures. Similar to the increasing complexity of software stacks, computer architectures continue to evolve to keep pace with advancements in applications and hardware. End-consumers want:

• all hardware and software components required to build a computer systems are displayed
• the ability to identify and retrieve all components from a secure and tamper-proof location - to receive an alert when a vulnerability scan detects a known security issue on a running component
• verifiable proofs on build process and build environment with all supplier tiers to ensure end-to-end build quality and security

SCITT provides a standardized way to:

• provide a tiered and transparent framework that allows for verification of integrity and authenticity of the integrated hardware and software at both component and product level before using
• notify hardware and software integrators of vulnerabilities identified during security scans of running components
• provide valid annotations on build integrity to ensure conformance
• provide an interface that reconciles the division of responsibilities between the software and hardware sides

Privacy Considerations The privacy considerations of the SCITT Architecture apply.

Security Considerations The privacy considerations of the SCITT Architecture apply.

References Normative References Fraunhofer SIT Microsoft Research Microsoft Research ARM Traceability in supply chains is a growing security concern. While verifiable data structures have addressed specific issues, such as equivocation over digital certificates, they lack a universal architecture for all supply chains. This document proposes a scalable architecture for single-issuer signed statement transparency applicable to any supply chain. It ensures flexibility, interoperability between different transparency services, and compliance with various auditing procedures and regulatory requirements. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Purdue University, West Lafayette, IN, USA Purdue University, West Lafayette, IN, USA Purdue University, West Lafayette, IN, USA Purdue University, West Lafayette, IN, USA ACM To improve cybersecurity posture, automation is necessary to locate the software a device is using, whether that software has known vulnerabilities, and what, if any, recommendations suppliers may have. This memo extends the Manufacturer User Description (MUD) YANG schema to provide the locations of software bills of materials (SBOMs) and vulnerability information by introducing a transparency schema.