As you can read in our Annual Report, the OpenChain Project had an exceptional year in 2023. The biggest accomplishment was our ISO submission and publication of OpenChain ISO/IEC 18974:2023, the new International Standard for open source security assurance. More broadly, our market impact was positive in every direction. In 2024 we will build on our community success guided by the vision and mission in our project charter.
Our vision is a trusted supply chain and our mission is to make that happen.
The OpenChain Project exists to build trust in the supply chain. We unite industries around standard approaches to process management that reduce risk, reduce costs and increase speed. Our focus until now has been improving open source license compliance and security assurance. A lot of our activity is around normalization (community) and embedding (procurement). Everything we have created – standards, community and reference material – serves our purpose and our mission.
In collaboration with our extensive global community of over 1,000 companies, we will continue to build a trusted supply chain throughout 2024.
You are invited to be part of this, and your contributions would be extremely valuable to ensure we provide targeted, timely and useful solutions for tens of thousands of companies using open source in the global supply chain. There are three main areas that we expect to be important in the year ahead.
Promoting Adoption Of Our Standards
The OpenChain Project will continue to build awareness and ease adoption of our published standards for open source license compliance and security assurance. The key resource is our website, including our free self-certification resources, our reference material and quick access to our official partner ecosystem. Easy access to our meetings, events and mailing lists will continue to be at the center of our work.
We will continue to communicate our work at events related to open source in the business sphere, but in 2024 we will also seek to broaden our engagement with the risk management, procurement and insurance areas. Just as open source has become the core of software, we want to make sure ISO standards for open source business process management are clearly understood as critical.
The OpenChain community will continue to play a central role in the adoption of our standards. After all, the OpenChain Project is run by companies using open source for the benefit of the supply chain. Our regional work groups in locations like Mainland China, Japan, Korea, Taiwan, India, Germany and the UK will be important to our continued success. A good place to start if you want to help is our participation page.
Ensuring Our Standards And Supporting Material Are Relevant
In 2024 we will continue to invite all parties to collaborate around future updates to our existing business process standards for open source license compliance and security assurance, and to help with developing new reference material or case studies.
When it comes to our existing standards, there are ongoing editing cycles for ISO/IEC 5230 (license compliance) and ISO/IEC 18974 (security assurance). The OpenChain Steering Committee reviewed the community work in December 2023 and provided guidance that:
- The community-developed update proposals seem reasonable
- We will extend our Public Comment and Freeze Periods significantly to ensure the supply chain has time to consider the proposed changes
- The Public Comment period will change from 30 days to 6 months
- The Freeze Period will change from 14 days to 3 months
- This will be communicated in an update to FAQ and to our Specification Work Team.
- In principle, it is suggested that we target updates to our ISO standards once every five years
- This would suggest the update for ISO/IEC 5230 is likely to be ready for 2025
- ISO/IEC 18974 may be updated sooner due to a rapidly-moving market, but not at a speed that would hinder adoption of the existing and newly published version
You can get started, track developments and contribute by subscribing to our Specification Work Group mailing list. We also edit the standards via our monthly North America / Europe and North America / Asia calls.
As for our reference material, you can track active editing and get involved via our Education Work Group mailing list. In 2024 you can expect work around updating our reference training material, new case studies, and the development of more material to support our new ISO standard for open source security assurance, ISO/IEC 18974:2023.
Providing A Space For Potential Future Market Solutions
The OpenChain Project is not static and our work has always been designed to evolve with the market. This is why we give our community space to explore the potential for new material, specifications and solutions that support our mission. For example, in the next few weeks we will launch an AI Study Group to assess the key metrics needed for compliance in this domain in the context of the supply chain. You can keep an eye out for that via our newly created AI Study Group mailing list and by reviewing the recording of their first planning meeting.
There are other activities underway in the OpenChain Project to lend support to a more trusted supply chain, like our Automation Work Group, our Export Control Work Group and our Legal Work Group. Addressing specific industry segments, we have our Automotive Work Group and our Telco Work Group. In 2024 the OpenChain Project will continue to foster a space for such discussions, and we will seek to provide a more structured way to propose, manage and evolve work groups or special interest groups.
It should be noted that there are ongoing discussions around the potential for an SBOM Quality assessment specification and a contribution process specification. The former is being managed by our Telco Work Group, and you can discuss it with the maintainers over at the Telco Work Group mailing list. The latter is in a far earlier stage of discussion that you can track and participate via GitHub Issues and – where raised by members of the Specification Work Group – our monthly North America / Europe and North America / Asia calls.
Of course, ideas for new specifications or other market solutions are simply discussions until reviewed and ratified by the OpenChain Steering Committee as official work products of the OpenChain Project. For something like building a new specification (or updating an existing one), we have a formal process for the community to follow.
Conclusion
The OpenChain Project is purposeful and thoughtful in execution. In 2024, we will continue to be an “oil tanker,” with reliable, long-term progress in a predictable direction. This ensures our work in building standards can be trusted for the long cycles of procurement that are needed for industries as diverse as automotive, infrastructure and consumer electronics.
An exciting year for the OpenChain Project is a year where market adoption is trending upwards, we provide continued relevance for our stakeholders, and we make sure our open standards are developed in a way that is truly open for everyone. We expect 2024 will see this continue with strong promotional activity for our existing standards, measured work around future update to these standards, and space for discussion about potential new market solutions.
You are a vital part of this process. The OpenChain Project is powered by its community, with user companies solving shared market challenges together, and service providers investing in working alongside us. That means contribution. It means mentorship. It means collaborative solutions. Our continued success relies on supporting realistic supply chain solutions, with everyone being a beneficiary of the efficiency this realizes.
If you are already part of our community, welcome back for 2024. If you are new, welcome to one of the best communities in open innovation. We are here to help.
Shane Coughlan
OpenChain General Manager
5th January 2024
