Proactive Software Supply Chain Risk Management Framework (P-SSCRM)

TL;DR

The paper introduces P-SSCRM, a comprehensive framework for proactively managing software supply chain risks by analyzing real-world data and unifying existing standards and methodologies.

Contribution

It presents a unified model for understanding, quantifying, and developing secure software supply chain risk management strategies based on industry and government standards.

Findings

Identifies common elements across multiple standards and initiatives.

Provides a model for assessing organizational risk management efforts.

Offers guidance for developing proactive supply chain security programs.

Abstract

The Proactive Software Supply Chain Risk Management Framework (P SSCRM) described in this document is designed to help you understand and plan a secure software supply chain risk management initiative. P SSCRM was created through a process of understanding and analyzing real world data from nine industry leading software supply chain risk management initiatives as well as through the analysis and unification of ten government and industry documents, frameworks, and standards. Although individual methodologies and standards differ, many initiatives and standards share common ground. P SSCRM describes this common ground and presents a model for understanding, quantifying, and developing a secure software supply chain risk management program and determining where your organization's existing efforts stand when contrasted with other real world software supply chain risk management initiatives.