1. The OpenChain Project
Mini-Summit - 2023-05-09
14:30 PDT

2. Keeping Things Fun For The Community
Swag and Mascots

3. AGENDA
• 14:30: Introduction: The OpenChain License Compliance and Security
Assurance Standards in 2023
• 14:50: Keynote: Moving Down The Pyramid - SBOMs in 2023
• 15:10 - Break
• 15:20: Keynote: Moving Down The Pyramid - “State of the Tooling” in
Open Source Automation, Helio Chissini de Castro, CARIAD
• 15:40: Special Keynote: FOSSLight - Next Generation Open Source
Automation for Compliance and Security, Kyoungae Kim and Soim
Kim, LG Electronics
• 16:00 - Break
• 16:10: Roundtable Session - Process Standards
• 16:25: Roundtable Session - SBOMs
• 16:45: Roundtable Session - Automation
• 17:00 - Close

4. The OpenChain License Compliance
and Security Assurance Standards in
2023

5. OpenChain Membership – New (old) Faces!
(not an official VW ID.4)

6. OpenChain Membership Today
+

7. Members Represent Over 5.9 Trillion USD In Market Value
https://docs.google.com/spreadsheets/d/1HllBIFRkqiUc-6nnJWRkPd1VmiajeRknDIH6EnWYYLE/edit?usp=sharing

8. Platinum Member / Conformance Pending ISO/IEC 5230 + DIS 18974 Conformant
Platinum Member + ISO/IEC 5230 Conformant
Automotive Banking Cloud Consumer Industrial SaaS Service Silicon Telco
Example Verticals Impacted by OpenChain
This is a snapshot based on membership and select conformant organizations currently listed on our website. Total conformant numbers are far higher.
Example: PwC Survey shows 20% of companies in Germany with over 2,000 employees already used ISO/IEC 5230.

9. Snapshoot Represents Over 7.5 Trillion USD In Market Value
https://docs.google.com/spreadsheets/d/1HllBIFRkqiUc-6nnJWRkPd1VmiajeRknDIH6EnWYYLE/edit?usp=sharing

10. Trillions More In Market Value Touched
(Lockheed co-chairs our spec development)
This is a non-exhaustive list of participants on some of our community lists

11. OpenChain Has 12 Official Tooling Vendors

12. OpenChain Has 11 Official Third-Party Certifiers
CESI

13. OpenChain Has 27 Official Service Providers

14. OpenChain Has 22 Official Legal Providers

15. Key News Around
ISO/IEC DIS 18974

16. General Community News: Standards

17. Overview
● We expect to complete the Draft International Standard (DIS) process via
JTC-1 at the end of June.
● There will be an editorial period after this.
● According to Seth from Joint Development Foundation:
“We will most likely end up passing with edits. We will clean up the editorial
things but nothing technically normative and send it back. They will spend
another month transposing the final version and give us the ISO number.”
Questions?

18. Conformance Continues With De-Facto Standard

19. Key News Around
ISO/IEC 5230

20. OpenChain Has 98 ISO/IEC 5230 Conformant Orgs
Listed On Our Website (totals are higher)
Total conformant numbers are far higher.
Example: PwC Survey shows 20% of companies in Germany with over 2,000 employees already used ISO/IEC 5230.

21. Recent Significant ISO/IEC 5230 Conformance

22. And Also…

23. What Else Is Happening?

24. General Community News: Project Improvements

25. General Community News: Project Improvements

26. General Community News: Project Improvements

27. General Community News: Project Activities

28. General Community News: Webinars

29. General Community News: Events

30. General Community News: Publications

31. General Community News: Asking Questions

32. Into The Weeds…

33. Licensing and Security Specification Editing
● The editing process is continuing as expected, with solid feedback on issues, and
changes heading in the direction of improved clarity.
● The open and closed issues are tracked via GitHub:
Licensing: https://github.com/OpenChain-Project/License-Compliance-Specification/issues
Security: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues
● The draft next generation specifications are also hosted on GitHub:
Licensing: https://github.com/OpenChain-Project/License-Compliance-
Specification/blob/master/3.0/en/openchain-license-compliance-3.0.md
Security: https://github.com/OpenChain-Project/Security-Assurance-Specification/blob/main/Security-Assurance-
Specification/2.0/en/openchain-security-specification-2.0.md
● As are the slides used for every meeting (two meetings per month):
https://github.com/OpenChain-Project/Meeting-Minutes/tree/main/Slides

34. Model Language For Procurement
● The first meeting of the Legal Work Group took place on the 25th of April 2023.
● We explored model provisions for including OpenChain ISO/IEC 5230 and
OpenChain ISO/IEC DIS 18974 (and potentially other standards) in procurement
contracts or similar material. The goal is to ensure people can understand options.
We will not be prescriptive, and these model provisions will remain part of the
OpenChain reference material. They will not be included in the standards
themselves.
○ The call started by looking at model provisions done before via the Risk Grid.
○ The document, under public domain, has been moved to the OpenChain GitHub for ease of access
and editing.
● Our outcome was to use this basic format to structure our first round of model
provisions, and to have the option of merging the documents in the future.

35. Moving Down The Pyramid -
SBOMs in 2023

36. One More Thing…
● Today (2023-05-09) we are releasing the first draft case studies created by
ChatGPT on our GitHub.
● These are not intended to replace our community contributions, but to make it
fast for people to add ideas and adjustments.
● This will specifically address one of the greatest challenges in creating new
material: the initial time spent for drafting. Our community usually enjoys
commenting and adjusting more than drafting.
● It took ChatGPT less than ten minutes to create eight case studies:
https://github.com/OpenChain-Project/Reference-Material/tree/master/Adoption-Case-Studies/Official/en/ChatGPT

37. Moving Down The Pyramid -
SBOMs in 2023

38. We Just Talked About SPDX 3.0

39. OpenChain Supports Both NTIA + CISA SBOM
● ISO/IEC 5230 and ISO/IEC DIS 18974 both require the existence of an
SBOM as part of the key requirements of either a quality license compliance
or security assurance program.
● We inherently match the guidance provided by NTIA and CISA.
● We are non-prescriptive on the actual SBOM format used, allowing our
community the freedom to choose SPDX, CycloneDX or SWID as appropriate
to meet their needs.
● We have been positioning the supply chain to meeting The Minimum
Elements For a Software Bill of Materials (SBOM) since our inception.

40. BREAKTIME!

41. Moving Down The Pyramid - “State
of the Tooling” in Open Source
Automation
Helio Chissini de Castro, CARIAD

42. FOSSLight - Next Generation Open
Source Automation for Compliance
and Security
Kyoungae Kim and Soim Kim, LG Electronics

43. BREAKTIME!

44. Roundtable Session –
Process Standards

45. Roundtable Session –
SBOMs

46. Roundtable Session –
Automation