Featured

As you can read in our Annual Report, the OpenChain Project had an exceptional year in 2023. The biggest accomplishment was our ISO submission and publication of OpenChain ISO/IEC 18974:2023, the new International Standard for open source security assurance. More broadly, our market impact was positive in every direction. In 2024 we will build on our community success guided by the vision and mission in our project charter.

Our vision is a trusted supply chain and our mission is to make that happen.

---

The OpenChain Project exists to build trust in the supply chain. We unite industries around standard approaches to process management that reduce risk, reduce costs and increase speed. Our focus until now has been improving open source license compliance and security assurance. A lot of our activity is around normalization (community) and embedding (procurement). Everything we have created – standards, community and reference material – serves our purpose and our mission.

In collaboration with our extensive global community of over 1,000 companies, we will continue to build a trusted supply chain throughout 2024.

---

You are invited to be part of this, and your contributions would be extremely valuable to ensure we provide targeted, timely and useful solutions for tens of thousands of companies using open source in the global supply chain. There are three main areas that we expect to be important in the year ahead.

Promoting Adoption Of Our Standards

The OpenChain Project will continue to build awareness and ease adoption of our published standards for open source license compliance and security assurance. The key resource is our website, including our free self-certification resources, our reference material and quick access to our official partner ecosystem. Easy access to our meetings, events and mailing lists will continue to be at the center of our work.

We will continue to communicate our work at events related to open source in the business sphere, but in 2024 we will also seek to broaden our engagement with the risk management, procurement and insurance areas. Just as open source has become the core of software, we want to make sure ISO standards for open source business process management are clearly understood as critical.

The OpenChain community will continue to play a central role in the adoption of our standards. After all, the OpenChain Project is run by companies using open source for the benefit of the supply chain. Our regional work groups in locations like Mainland China, Japan, Korea, Taiwan, India, Germany and the UK will be important to our continued success. A good place to start if you want to help is our participation page.

Ensuring Our Standards And Supporting Material Are Relevant

In 2024 we will continue to invite all parties to collaborate around future updates to our existing business process standards for open source license compliance and security assurance, and to help with developing new reference material or case studies.

When it comes to our existing standards, there are ongoing editing cycles for ISO/IEC 5230 (license compliance) and ISO/IEC 18974 (security assurance). The OpenChain Steering Committee reviewed the community work in December 2023 and provided guidance that:

• The community-developed update proposals seem reasonable
• We will extend our Public Comment and Freeze Periods significantly to ensure the supply chain has time to consider the proposed changes
• The Public Comment period will change from 30 days to 6 months
• The Freeze Period will change from 14 days to 3 months
• This will be communicated in an update to FAQ and to our Specification Work Team.
• In principle, it is suggested that we target updates to our ISO standards once every five years
• This would suggest the update for ISO/IEC 5230 is likely to be ready for 2025
• ISO/IEC 18974 may be updated sooner due to a rapidly-moving market, but not at a speed that would hinder adoption of the existing and newly published version

You can get started, track developments and contribute by subscribing to our Specification Work Group mailing list. We also edit the standards via our monthly North America / Europe and North America / Asia calls.

As for our reference material, you can track active editing and get involved via our Education Work Group mailing list. In 2024 you can expect work around updating our reference training material, new case studies, and the development of more material to support our new ISO standard for open source security assurance, ISO/IEC 18974:2023.

Providing A Space For Potential Future Market Solutions

The OpenChain Project is not static and our work has always been designed to evolve with the market. This is why we give our community space to explore the potential for new material, specifications and solutions that support our mission. For example, in the next few weeks we will launch an AI Study Group to assess the key metrics needed for compliance in this domain in the context of the supply chain. You can keep an eye out for that via our newly created AI Study Group mailing list and by reviewing the recording of their first planning meeting.

There are other activities underway in the OpenChain Project to lend support to a more trusted supply chain, like our Automation Work Group, our Export Control Work Group and our Legal Work Group. Addressing specific industry segments, we have our Automotive Work Group and our Telco Work Group. In 2024 the OpenChain Project will continue to foster a space for such discussions, and we will seek to provide a more structured way to propose, manage and evolve work groups or special interest groups.

It should be noted that there are ongoing discussions around the potential for an SBOM Quality assessment specification and a contribution process specification. The former is being managed by our Telco Work Group, and you can discuss it with the maintainers over at the Telco Work Group mailing list. The latter is in a far earlier stage of discussion that you can track and participate via GitHub Issues and – where raised by members of the Specification Work Group – our monthly North America / Europe and North America / Asia calls.

Of course, ideas for new specifications or other market solutions are simply discussions until reviewed and ratified by the OpenChain Steering Committee as official work products of the OpenChain Project. For something like building a new specification (or updating an existing one), we have a formal process for the community to follow.

Conclusion

The OpenChain Project is purposeful and thoughtful in execution. In 2024, we will continue to be an “oil tanker,” with reliable, long-term progress in a predictable direction. This ensures our work in building standards can be trusted for the long cycles of procurement that are needed for industries as diverse as automotive, infrastructure and consumer electronics.

An exciting year for the OpenChain Project is a year where market adoption is trending upwards, we provide continued relevance for our stakeholders, and we make sure our open standards are developed in a way that is truly open for everyone. We expect 2024 will see this continue with strong promotional activity for our existing standards, measured work around future update to these standards, and space for discussion about potential new market solutions.

You are a vital part of this process. The OpenChain Project is powered by its community, with user companies solving shared market challenges together, and service providers investing in working alongside us. That means contribution. It means mentorship. It means collaborative solutions. Our continued success relies on supporting realistic supply chain solutions, with everyone being a beneficiary of the efficiency this realizes.

If you are already part of our community, welcome back for 2024. If you are new, welcome to one of the best communities in open innovation. We are here to help.

Shane Coughlan
OpenChain General Manager
5th January 2024

---

The work of the OpenChain Project is made possible by our Platinum Members. In 2023, our Governing Board helped guide the project in meaningful ways towards improving legal and security challenges in the global supply chain. I would like to thank everyone involved in providing this strategic and financial support, with special thanks to Jimmy Ahlberg from Ericsson who acted as Chair, and to the formal voting representatives of our 2023 Platinum Member companies:

The result of their support was remarkable.

The OpenChain Project had an exceptional year throughout 2023. The key milestone was the ISO submission and publication of OpenChain ISO/IEC 18974:2023, the new International Standard for open source security assurance. This is the sister standard to OpenChain ISO/IEC 5230:2020, the International Standard for open source license compliance. It is the culmination of over 18 months of work from dozens of contributors, and has already seen adoption by companies like KakaoBank, LG Electronics and BlackBerry. For those curious, we used the JTC-1 PAS Transposition Process in collaboration with our partners at the Joint Development Foundation to take our pre-existing de-facto industry standard and convert it into a formal ISO standard. This is the same mechanism we used with OpenChain ISO/IEC 5230:2020.

More broadly, our market impact was positive in every direction. As a standards project, the key things we look for are positive growth in terms of adoption, positive growth in our collaborative community and its activity, and positive growth in our partner ecosystem for officially endorsed support.

A tangible metric for our success is related to how many programs we are aware of around the world using one or both of the standards we currently publish. One way we track this is through asking companies to inform us of their use, and to allow us to add them to our ‘Community of Conformance‘ web page. In 2023, we crossed over 100 listings for ISO/IEC 5230 conformant programs on that page.

However, because we maintain open standards, there is no obligation for companies to inform us of their use. We partially rely on our partner community to assist with deeper metrics based on their client portfolios or their market surveys. Our partners over at PwC Germany provided some excellent numbers indicating significant market traction, with 31% of large German companies already using or planning to use OpenChain ISO/IEC 5230.

While the cumulative impact of these developments cannot be precisely calculated in the context of open standards and a deep, complex supply chain, there are indicators that the problem area we are addressing is seeing real change. According to Synopsys research, the year before OpenChain ISO/IEC 5230:2020 was published, 68% of open source codebases had license compliance issues. Three years later, that number standards at 54%, a 14% decrease in license issues impacting the business domain.

OpenChain ISO/IEC 18974 is at a much earlier stage in its market lifecycle. As with OpenChain ISO/IEC 5230, we expect it to take a while for companies to complete their adoption in security programs, but we already see the type of large and small entity early adoption that is a positive indicator for market fit. With a long and complex supply chain, it is vital to ensure that small companies, or companies with limited resources, can adopt our process management standards as easily as companies with sophisticated and well-funded teams.

In the context of the OpenChain Project, we primarily build and support our standards through an active user community. However, it is also extremely important to have a healthy adjacent ecosystem of commercial service providers to ensure supply chain participants can get help when needed. The OpenChain Project has an official partner program designed to promote commercial providers that work with us on messaging, outreach and broader community development. This ecosystem saw growth in every direction in 2023, most notably in doubling the number of third-party certifiers available across the global market.

As the OpenChain Project enters 2024, we remain committed to the concept of measured, effective engagement with the global supply chain to promote adoption of our standards. A significant portion of our energy will be focused on this, both in the sense of directed project resources, and the expected outcomes of the collaborative user community and the commercial partner community.

The obvious starting point for all interested parties (and your supply chain) is to check out our resources to help companies adopt our standards through free self-certification, independent assessment or third-party certification.

Get Started with all our published standards:

• https://www.openchainproject.org/get-started

Learn more about OpenChain ISO/IEC 18974:2023 (security assurance):

• https://www.openchainproject.org/security-assurance

Learn more about OpenChain ISO/IEC 5230:2020 (license compliance):

• https://www.openchainproject.org/license-compliance

Naturally, the OpenChain Project is not static and our work is designed to evolve with the market. We invite all parties to help with collaborating around future updates to our business process standards for compliance, to help with developing new reference material or case studies and to explore the potential for new sister standards that support our mission.

For example, in the next few weeks we will launch an AI Study Group to assess the key metrics needed for compliance in this domain in the context of the supply chain. You can keep an eye out for that via our newly created AI Study Group mailing list and by reviewing the recording of their first planning meeting.

When it comes to our existing standards, there are ongoing editing cycles for ISO/IEC 5230 (license compliance) and ISO/IEC 18974 (security assurance). The OpenChain Steering Committee took a look at the community developments in December 2023, and provided guidance that:

• The community-developed update proposals seem reasonable
• We will extend our Public Comment and Freeze Periods significantly to ensure the supply chain has time to consider the proposed changes
• The Public Comment period will change from 30 days to 6 months
• The Freeze Period will change from 14 days to 3 months
• This will be communicated in an update to FAQ and to our Specification Work Team.
• In principle, it is suggested that we target updates to our ISO standards once every five years
• This would suggest the update for ISO/IEC 5230 is likely to be ready for 2025
• ISO/IEC 18974 may be updated sooner due to a rapidly-moving market, but not at a speed that would hinder adoption of the existing and newly published version

Everyone is welcome to be part of this process.

We look forward to an excellent 2024 in collaboration with you.

Shane Coughlan
OpenChain General Manager
4th January 2024

Get the slides used to make this report

OpenChain Annual Report 2023 – Key Metrics Slides from Shane Coughlan

The OpenChain Project started when David Marr brought people together to talk about improved trust in the supply chain in 2015. The outcome of this action – and his work to lead it as chair from 2016 to 2021 – is dramatically increased trust in the supply chain. As an official outcome of its Q4 2023 Governing Board Meeting, the OpenChain Governing Board hereby thanks David Marr by naming him Chair Emeritus of the OpenChain Project. This is an honorary position that can permanently signal his contribution.

KakaoBank is the first company to formally announce conformance to ISO/IEC 18974:2023 adjacent to the ISO publication of the specification.

Learn more about the KakaoBank announcement: https://www.openchainproject.org/news/2023/11/22/kakaobank-iso18974

The Linux Foundation, Joint Development Foundation and the OpenChain Project are delighted to announce the publication of ISO/IEC 18974:2023 as an International Standard. Formally known as OpenChain Security Assurance 1.1 or ISO/IEC DIS 18974, this is a simple, clear and effective process management standard for open source security assurance. It allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source security assurance program.

---

Companies around the world can learn more about ISO/IEC 18974:2023, methods of self-certification, independent assessment or third-party certification, as well as access a large library of reference material at https://www.openchainproject.org

ISO/IEC 18974:2023 is an open standard and all parties are welcome to engage with our community, learn from their peers, share their knowledge, and to contribute to the future of our standard. There is no charge to access and use our reference material, self-certification or to engage with our numerous calls, webinars, mailing lists and meetings.

“ISO/IEC 18974:2023 is the result of over seven years work in building simple, effective process management specifications for the open source supply chain. As a sister standard to ISO/IEC 5230:2020, the International Standard for open source license compliance, it has a direct pedigree based on decades of open source management experience distilled and applied by hundreds of contributors. It can immediately be used by companies of any sizes to reduce risk, increase efficiency and ensure sustainability around code management.”

Shane Coughlan, OpenChain General Manager

This standard was created with the input of dozens of people across a period of more than a year. The majority of this process was lead by the co-chairs of the OpenChain Specification Work Group, Chris Wood, Fellow at Lockheed Martin and Helio Chissini de Castro, Software Technologies Lead at CARIAD – a Volkswagen Group Company.

“It is a great accomplishment for the OpenChain team’s hard work to have our Software Assurance specification accepted for publication as an Internationally recognized specification by ISO/IEC.”

Chris Wood, Fellow at Lockheed Martin

“ISO/IEC 18974 fills a market gap that OpenChain could effectively address by connecting people. In a world where security and compliance are no longer seen side by side but rather crossing paths, an intelligent approach on how to manage this situation was needed by professionals. OpenChain provided the right people and the right environment to achieve a practical solution based on the approach previously proven via ISO/IEC 5230.”

Helio Chissini de Castro, Software Technologies Lead at CARIAD – a Volkswagen Group Company.

Industry reception has been equally positive, with the follow endorsement from OPPO – an OpenChain Platinum Member – underlining the global applicability of ISO/IEC 18984:2023 for open source security assurance.

“As a core member of OpenChain, OPPO is pleased to see OpenChain’s newly released ISO standard, which aims to ensure the security of the open source software’s supply chain. The development is expected to bring numerous strengths to OPPO and its partners, including enhanced security, improved product quality, and increased competitive advantages. This achievement marks yet another significant milestone in the ongoing development of OpenChain.”

Haydon, Vice President of OPPO and President of Software Engineering

Our official partners at PwC Germany have added their endorsement from the perspective of open source management, regulatory bodies and third-party certification.

“Great joint effort and achievement! As regulatory bodies increasingly recognize the significance of cybersecurity and the necessity for Software Bill of Materials (SBOMs), the introduction of ISO 18974 is a timely and important element for open source management. Its adoption will enhance the resilience and reliability of digital products and services. Furthermore, an external ISO 18974 certification will boost trust within the supply chain and facilitate efficient collaboration.”

Marcel Scholze, Head of Open Source Management Services at PwC Germany

Other companies have previously adopted ISO/IEC 18974:2023 in its OpenChain Security Assurance 1.1 or ISO/IEC DIS 18974:2023 variants, including LG Electronics and BlackBerry. These are functionally identical to ISO/IEC 18974:2023. You can learn more about the companies adopting OpenChain Project standards by visiting our “Community of Conformance” page:
https://www.openchainproject.org/community-of-conformance

China Industrial Control Systems Cyber Emergency Response Team (CIC) is the latest official OpenChain Partner. They will help companies in China with process development and compliance scanning activities.

“China Industrial Control Systems Cyber Emergency Response Team ( CIC ) is delighted to become an official partner of the OpenChain Project,” said Huang Yunhua, deputy director of the CIC’s Institute of Intellectual Property. “OpenChain ISO/IEC 5230 stipulates key requirements for a high-quality open source license compliance program, which can effectively improve the level of open source supply chain security governance services. We will actively promote the application of OpenChain standards in the field of industrial and information safety, provide services for the domestic open source ecology and related enterprises, and build a more reliable open source software supply chain.”

“The OpenChain Project welcomes CIC to the official partner community today,” says Shane Coughlan, OpenChain General Manager. “This is an important development in strengthening the provision of ISO 5230 and ISO 18974 services in the Chinese market, and it is also an important development in terms of building event more bridges between China and other parts of the global supply chain. As a leader in the open source market, China and Chinese companies are critical to good governance in what we do. Our next steps together will help make open source more effective and more valuable for everyone involved.”

Visit Their Website

• https://www.cics-cert.org.cn/

TOKYO, Japan, December 07, 2023 – Honda, a global leader in the manufacturing of automobiles, motorcycles, and power equipment, today announces an OpenChain ISO/IEC 5230 conformant program. Joining other leaders in the domain of open source software, Honda continues to drive long-term, sustainable innovation around the next generation of technologies.

“Honda has a remarkable position as the world’s largest motorcycle manufacturer and the world’s largest manufacturer of internal combustion engines,” says Shane Coughlan, OpenChain General Manager. “Perhaps most notably, they have a remarkable position as a leader in innovation that helps to empower people around mobility. Open source is a key part of the future of this industry, and with today’s announcement of an OpenChain ISO/IEC 5230 program, Honda underlines its position as a thought leader in this domain. A trusted supply chain is critical, and we are fortunate to have companies like Honda driving lasting change.”

About Honda

Honda is a mobility company powered by everyone’s dreams, creating mobility that helps and inspires people, in a wide range of fields such including motorcycles, automobiles, power products and aircraft.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

KakaoBank, a South Korean mobile-only internet bank and financial technology company, has announced the adoption of OpenChain ISO/IEC 18974 in their open source security assurance program. Founded in 2016, KakaoBank is one of the leading financial technology companies in the region. 

KakaoBank has long been an active contributor to the open source community. In collaboration with other South Korea companies, KakaoBank has continually sought to make sure practical, efficient value is obtained from the potential of open source platform technologies. Their adoption of OpenChain ISO/IEC 5230, the international standard for open source license compliance, in 2022 was an early indicator of this. The announcement of ISO/IEC 18974 adoption today underlines that commitment.

“The open source team at KakaoBank has taken great strides in demonstrating the effective management of open source for large, agile and rapidly growing business sectors,” says Shane Coughlan, OpenChain General Manager. “The financial sector provides unique challenges in both being an environment of heavy regulation and caution, and a space where rapid digital innovation is taking place. Open source provides an obvious way to ensure new platforms and technologies can be turned into great new services, and the OpenChain standards for license compliance and security assurance provide a way to manage things in a predictable, reliable manner. We are delighted to work with the visionary team at KakaoBank and we look forward to collaborating further on the development of a more trusted supply chain.” 

Korea Telecom (KT), South Korea’s largest telecommunications operator, has announced an OpenChain ISO/IEC 5230 Conformant Program. With 50,000 employees group-wide, KT has a long history in open source engagement, and has operated a dedicated team for its management since 2012. 

KT operates a significant amount of automation for open source process management, and has pioneered solutions like K-COMPASS for open source project registration, review, verification and usage. It maintains courses in its own training system call Genius to help ensure new employees and developers understand their role in promoting excellence around open source.

KT’s decision to adopt ISO/IEC 5230 was based on a strategic interest in aligning with international standards for managing the supply chain. In a year-long process adjustment, the open source team ensured that all operational activities were not disrupted, but all aspects of the KT open source program matched the requirements outlined in the International Standard for open source license compliance.

“Today’s announcement marks an important milestone not only for the Korean supply chain but also the global management of open source in the telecommunications industry,” says Shane Coughlan, OpenChain General Manager. “With companies like Ericsson and Nokia chairing the OpenChain Board and our Telco Work Group respectively, it has long been clear that our approach to standardization resonates in this market vertical. However, major conformance announcements like this as a clear lighthouse indicating the path to the future of the supply chain. I want to commend the team involved, and also to thank them for far more than announced today. KT has been part of the OpenChain community for a while, and hosted one of our workgroups in 2019 at their KT DS Seoul headquarters. They have a clear understanding of how this community works, and how it drives business value through collaboration.”

We had a super busy call focused on editing update proposals for our core specifications (licensing and security) and editing new proposals for potential future specifications (contribution and SBOM quality). Full recording below.

On OpenChain ISO/IEC 5230 (licensing) we closed this issue:

• https://github.com/OpenChain-Project/License-Compliance-Specification/issues/58

On OpenChain ISO/IEC DIS 18974 (security) we closed this issue:

• https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/17

For harmonization between ISO/IEC 5230 and ISO/IEC DIS 18974 we closed this issue:

• https://github.com/OpenChain-Project/License-Compliance-Specification/issues/68

On the proposal for a contribution specification we addressed this issue:

• https://github.com/OpenChain-Project/Contribution-Process-Specification/issues/16

Check out the slides from the call for all the relevant links:

• https://github.com/OpenChain-Project/Meeting-Minutes/blob/main/Slides/OpenChain-Monthly-Meeting-2023-10-17.pptx