A UK Government report on open source software contains some very specific findings and recommendation to establish trustworthiness
in open source software:
4.1.3 Trust in Open-Source Software
Trust in OSS is a critical concept when
adopting OSS components. How does one
come to trust an OSS component? More
often than not, “there is no sound basis
for trust in the Software Ecosystems (SECO) hubs”, with trust being considered
“founded or unfounded” (Hou et al., 2022).
Outside of academic papers, trustworthiness
wasn’t mentioned in any of the best
This is a significant gap in the best practices landscape, as trust plays a vital role
in adopting OSS components.
This is precisely why a SCITT Trust Registry is essential, to serve as a trust anchor for trustworthy software products
with specific cybersecurity labels providing justification for a “trust score” in the registry, which the buying public can query before buying a product.
The US Coast Guard is planning to implement a “Trust Registry” of approved products, which limits which products can
be installed in IT and OT systems used by the US Coast Guard:
I’m doing a presentation to the US NASA and the US Department of Energy (DOE) on March 21 on this very topic of SCITT
Trust Registries to identify trustworthy products that have passed a risk assessment and may be installed in IT and OT systems.
Trustworthiness of a product will be based on NIST SCRM best practices contained in CISA’s Secure Software Acquisition
Guide, https://cisa.gov/sag
Am happy to share my March 21 slides with any that request them.
<image007.png> <image008.png> <image009.png>
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Risk always exists, but trust must be earned and awarded.™
