The OpenChain Telco workgroup was started in May 2021. Its objective was to find a consensus of what a quality SBOM (Software Bill of Materials) is for the telco industry.
The telecom industry provides critical infrastructure therefore it is a heavily regulated industry. Vendors and operators are in a many to many relationship. Vendors usually sell to several customers worldwide while operators source from several vendors. Building an industry alignment on the SBOM reduces the fragmentation in SBOMs requested and provided. The reason to create a telco specific consensus was to focus on the needs of the industry, focus the consensus building to the telecom actors and to have the capability to react to telecom specific regulations.
- recommend a data format for the SBOM that is both machine-readable and human readable;
- give the fields that should be present in the SBOM, in accordance to the industry best practices, including the NTIA SBOM Minimum elements and CISA SBOM type;
- explain when and how the SBOM should be distributed.
We do not recommend tools to create the SBOM in order not to kill competition between vendors, but we specify what the tools should provide.
An entity that claims conformance to the guide can do so without being conformant to the OpenChain specification ISO/IEC 5230, but it is recommended that they are.
The Telco workgroup is free for anyone to join. We have meetings the first Thursday of the month, with two sessions, one for Europe and Asia, and one for America time zones. The sessions are recorded and published on YouTube. We also have a mailing list https://lists.openchainproject.org/g/telco where the minutes of the meetings are published and where we discuss the content of the document.
We had participation from many companies, large and small, and independent consultants.
Companies include:
- Ericsson,
- Nokia,
- Huawei,
- KDDI Corporation
- Fujitsu,
- Toshiba,
- Sony
- Bosch,
- MBition,
- Qualcomm
- Analog Devices Inc.
- Smart Talk Beacon Solutions Ltd.
- KPMG International
- LG
- CARIAD (Volkswagen Group)
So, we had interest and participation from companies not from the telco industry. In fact, the result of our work does not contain recommendations that are very specific to telco industry and the guide can be issued by other industries.
The document was developed on GitHub: https://github.com/OpenChain-Project/Telco-WG/
The document is organised in the following way:
- Scope
- Terms and definitions
- A list of requirements
- Conformant notice
- References
For each requirement there is:
- a “Verification and reference material” section,
- a “Rationale” explaining why this requirement is made.
The draft document was called “OpenChain Telco SBOM Specification” but we finally decided to rename it as “OpenChain Telco SBOM Guide”, as it is not ready to be formally submitted to the Steering Committee as a proposed new official OpenChain Specification.
The final draft of the document was approved by the workgroup on 7th of September 2023 after all remarks have been taken into account. A Japanese translation of the guide was provided by Masahiro Daikoku of KDDI Corporation.
We are now proposing that the “OpenChain Telco SBOM Guide” is approved as an official OpenChain document by OpenChain Steering Committee for their March 26th meeting.