A New Level of Trust: Corporate-Wide OpenChain ISO/IEC 5230:2020 Conformance

_{(This Cyber Tactics column, “A New Level of Trust: Corporate-Wide OpenChain ISO/IEC 5230:2020 Conformance,” written by John McClurg of BlackBerry, was originally published May 4, 2022, in Security Magazine. Excerpted with permission – access the full article here).}

The OpenChain standard allows companies of all sizes and in all sectors to adopt the key requirements of a quality open-source compliance program while building trust in the supply chain.

If you’re not already aware of it, OpenChain ISO/IEC 5230:2020 is the International Standard for open-source license compliance and is designed to build trust in the supply chain. The standard allows companies of all sizes and in all sectors to adopt the key requirements of a quality open-source compliance program. This is an open standard, and all parties are welcome to engage with the community to share their knowledge and contribute to the future of the standard. BlackBerry recently became the first company based in North America to adopt and conform to OpenChain across its entire product portfolio. The company saw the need to lead in this space and joined other technology-leading companies to adopt a higher standard for its software supply chain.

BlackBerry’s conformance is the first in North America in collaboration with an official OpenChain partner company, OSS Consultants. In addition, the announcement also marked the first whole-entity conformance undertaken anywhere globally with an official OpenChain partner. OpenChain encourages self-certification, independent assessment and third-party certification as options for entities seeking to address the risk profile of their supply chain. The choice of independent assessment in this case underlines how this flexibility allows entities to choose the solution that best fits their size, situation and market.

It is hard to overstate the importance of the action reflected in this announcement. BlackBerry has one of the deepest industry pedigrees in bringing increased peace of mind to enterprise and governmental organizations. The extension of this approach into the heart of their open-source software utilization both underlines their commitment to excellence and serves as a beacon for other companies to follow.

The recent exploits and their associated elements touted in the Lapsus$ attacks highlight the importance of third-party partners and insider threat security and the way in which those associated risks can come together in a way that threatens the confidence we can wield at any moment in our supply chain — as if, in that regard, the lingering effects of SolarWinds weren’t enough. OpenChain ISO/IEC 5230:2020 conformance reflects steps in the right direction in reclaiming that confidence. To that end, we welcome the opportunity to “lock shields” with you in the protection of our collective interests.

Read the full article in Security Magazine.

Related Reading

About John McClurg

Sr. Vice President and CISO at BlackBerry.

John McClurg serves as Sr. Vice President and CISO at BlackBerry. McClurg engages the industry around the globe on the risk challenges today and how BlackBerry uniquely mitigates them with the application of machine learning and other AI supported solutions. He champions a move from a historically reactive security posture, to one focused on proactively predicting and mitigating future risks.

Before BlackBerry, McClurg served as the Ambassador-At-Large of Cylance and as Dell's CSO, where his responsibilities included the strategic focus and tactical operations of Dell’s internal global security service. He was also charged with the advocacy of business resilience and security prowess, the seamless integration of Dell’s security offerings, and with improving the effectiveness and efficiency of security initiatives.

Before Dell, McClurg served as the VP of Global Security at Honeywell International; Lucent/Bell Laboratories; and in the U.S. Intel Community, as a twice-decorated member of the FBI, where he held an assignment with the U.S. Dept of Energy (DOE) as a Branch Chief charged with establishing a Cyber-Counterintelligence program within the DOE’s newly created Office of Counterintelligence.

Prior to that, McClurg served as an FBI Supervisory Special Agent, assisting in the establishment of the FBI’s new Computer Investigations and Infrastructure Threat Assessment Center, or what is today known as the National Infrastructure Protection Center within the Dept of Homeland Security.

McClurg also served on assignment as a Deputy Branch Chief with the CIA, helping to establish the new Counterespionage Group, and was responsible for the management of complex counterespionage investigations. He additionally served as a Special Agent for the FBI in the Los Angeles Field Office, where he implemented plans to protect critical U.S. technologies targeted for unlawful acquisition by foreign powers and served on one of the nation’s first Joint Terrorism Task Forces.

Back