OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Software Asset Management - 2025-06-25

1. Expanding the OpenChain
Standards Portfolio
More Sister Standards?

2. tl;dr – Not at the moment
● That’s it.
● Let’s go home.

3. What OpenChain Makes (not just standards)
We Study
We Brainstorm
We Make a Guide (if useful)
We Make a Specification (if useful)
We Make a Standard (if useful)
And
supporting
reference
material!

4. What Is OpenChain?

5. OpenChain Vision + Mission
Our vision is a trusted supply chain and our mission is to make that
happen.
Everything we have created – standards, community and reference material
– is in service of our purpose and our mission.
Outcomes: cheaper, faster, more efficient… for everyone.
Project Charter:
https://github.com/OpenChain-Project/Project-Charter-And-Agreements/blob/master/Project-Charter/OpenChain-Charter-March2020.pdf

6. Platinum Members (Governing Board)
Members Represent Trillions In USD Market Value

7. Automotive Banking Cloud Consumer Industrial SaaS Service Silicon Telco
Example Verticals Impacted by OpenChain
This is a snapshot based on membership and select conformant organizations currently listed on our website. Total conformant numbers are far higher.
Example: PwC Survey shows 20% of companies in Germany with over 2,000 employees already used ISO/IEC 5230.

8. Trillions More In Market Value Touched
(Lockheed co-chairs our spec development)
This is a non-exhaustive list of participants on some of our community lists

9. What We Do

10. OpenChain Makes Guides, Specs, Standards… +
We Study
We Brainstorm
We Make a Guide (if useful)
We Make a Specification (if useful)
We Make a Standard (if useful)
And
supporting
reference
material!

11. Our Standards Are Pretty Cool
Process Management
Standards, Guides and
Reference Material
Implementation Standards
Implementation Guides,
Reference Material and
Metrics

12. 12
Trust Built By Process Management
OpenChain ISO/IEC 5230:2020
International Standard for open source license compliance.
OpenChain ISO/IEC 18974:2023
International Standard for open source security assurance.
High level process standards
Simple, effective and suitable for companies of all sizes in all markets
Openly developed by a vibrant user community and freely available to all

13. Sister Standards - Processes for Programs
ISO/IEC 5230 (License Compliance) ISO/IEC 18974 (Security Assurance)
Flexible program size
Covering:
● Inbound processes
● Internal processes
● Outbound processes
Standards about process points
Not about process content

14. The OpenChain standards are the international baseline for quality in
open source license compliance or security assurance programs.

15. Self-Certification Checklists

16. But… the other stuff is pretty cool too!

17. A Reference Library
Of 1,500+ Documents

18. Free Online Compliance Management Training
4.5 out of 5 star rating!
4.6 out of 5 star rating!

19. Open Source Policy Template

20. Compliance Program Maturity / Capability Model

21. 100+
Webinars about open source
management and governance
OpenChain
has

22. Telco SBOM
Quality Guide

23. Telco SBOM Quality Work … EXPANDED
Official
Validator
ByteDance
Schemas
Third-Party
Tooling
ByteDance
Case Study

24. Recent Progress

25. A Continual Heartbeat Of Adoption
OpenChain standards are built, used
and supported by all industries
Recent adoption announcements:
ISO/IEC 5230:2020
ISO/IEC 18974:2023
Reminder: ISO standards can be adopted and used by any party,
so we only get informed and do PR on a discretionary basis.

26. 1H 2025 Overview
› New Platinum Member:
› ISO/IEC 5230 Co-Announcements:
› Recertification Co-Announcements:
› ISO/IEC 18974 Co-Announcements:
● Proposed updates to ISO/IEC 523
0 and ISO/IEC 18974 finished pub
lic comments and freeze periods
, moved to Steering Committee.
● Maturity models released.
● “Explainers” for company depart
ments released
.
● Open source policy template upd
ated
.
Telco SBOM Quality Guide update
d
.
● AI BOM Compliance Guide compl
ete
, board approval pending.
● Cross-industry SBOM quality guid
e early drafting
.
● Reorganized reference library of
1,500~ resources.
Better discoverability of processe
s
● Improved integration with other

27. Recent Evolution

28. A Simple Idea
● Keep evolving to address emerging market concerns.
● But do not reinvent the wheel.
● And keep it simple.

29. AI Compliance Draft Guide Ready
We held our regular workshop for the OpenChain AI Work Group on May 6th. During this
meeting some important decisions were made. The Work Group attendees agreed that initial
drafting on the AI SBOM Compliance Guide is now substantially complete, and there will be
two next steps:
1. Asking for formal approval to start a public comment period from the Governing Board
today.
2. If approval is given, the guide will go into a six week public comment period, and after that
period will move into a publication process.
The Draft AI SBOM Compliance Guide:
https://docs.google.com/document/d/1XHztgMALwnu2D02bmWYyXeW3wE_Jw199/edit#headi
ng=h.x3i92tls8mld
Last Meeting:

30. AI BOM Compliance in the Supply Chain Guide

31. SBOM Study Group Update
The SBOM Study Group has continued its discussion around SBOM Quality.
There are two key items framing the discussion:
1. The release of Version 1.1 of the Telco SBOM Quality Guide:
https://openchainproject.org/featured/2025/05/09/openchain-telco-sbom-guide-version-1-1-now-available
2. The development of a ”thinking” document considering how a cross-industry, cross-format SBOM quality
could be structured:
https://github.com/OpenChain-Project/SBOM-sg/blob/main/Cross-Industry-SBOM-Quality-Guide/en/Cross-
Industry-SBOM-Quality-Guide.md
3. Suggest approach = family tree: Cross-Industry > Industry Specific Guides
(in practice starting with Telco Guide as basis)
Last Meeting:

32. Cross-Industry SBOM Quality Guide Concept

33. In Summary – The New Stuff Is At “Guide”
We Study
We Brainstorm
We Make a Guide (if useful)
We Make a Specification (if useful)
We Make a Standard (if useful)
Let’s see
what the
market says

34. In Conclusion

35. Our Processes – Easy to Find and Understand

36. Our Community Study and Work Groups
Industry-Specific Work Groups
Automotive (Summer 2019~)
Telecom (Spring 2021~)
Regional User Groups
China (Sept 2019~)
Germany (Jan 2020~)
India (Sept 2019~)
Japan (Dec 2017~)
Korea (Jan 2019~)
Taiwan (Sept 2019~)
UK (June 2020~)
Core Work Groups
Education (Autumn 2020~)
Specification (Spring 2016~)
Community Work Groups
AI (January 2024~)
Automation (Summer
2019~)
Community Study Groups
SBOM (July 2024~)

37. We Have Commercial Support
Tooling / Automation
Third-Party Certification
Consultancies
Legal Providers

38. We Are A Welcoming Community!
?

39. Follow and Participate
● Our calls are open and publicly
listed.
● We publish a recording of every
meeting not under Chatham
House Rule.
● We provide access to work groups,
special interest groups and local
work groups via mailing list.
● We also use Slack and WeChat.

40. Let’s Talk More