Towards a Zero-Trust Supply-Chain Assurance Rubric for ORAN RIC Applications

TL;DR

This paper proposes a comprehensive zero-trust supply-chain assurance rubric for O-RAN RIC applications, integrating threat modeling, security controls, and onboarding assurance levels to enhance security in open RAN environments.

Contribution

It introduces an app-centric threat model, a threat-control-evidence mapping aligned with security standards, and an operator-facing assurance profile for incremental onboarding.

Findings

Case-study walkthroughs demonstrate rubric application.

Workflow supports explicit decision-making during app onboarding.

Evaluation focuses on applicability, not deployment-scale performance.

Abstract

Open RAN enables third-party xApps and rApps to be onboarded and updated at operational cadence, creating a software supply chain that spans developers, CI systems, registries, onboarding pipelines, and runtime enforcement points. This preprint proposes a zero-trust supply-chain assurance rubric for O-RAN RIC applications. It makes three contributions: first, an app-centric lifecycle threat model for RIC applications across build, signing, publication, onboarding, runtime, and update or rollback stages; second, a WG11-aligned threat-control-evidence mapping that relates lifecycle threats to O-RAN security baselines and complementary supply-chain evidence; and third, an operator-facing assurance profile that combines secure software development practices, SBOM transparency, and SLSA-style provenance into incremental onboarding levels. Analytical case-study walkthroughs and a minimal evidence-checking workflow illustrate how the rubric can support explicit Accept, Escalate, or Block decisions during RIC app onboarding. The evaluation is intended to assess applicability rather than deployment-scale performance; empirical measurements of operational overhead, decision consistency, and detection coverage are left for future work.