Committed to connecting the world

  •  

ITU-T work programme

[2025-2028] : [SG17] : [Q8/17]

[Declared patent(s)]  - [Associated work]

Work item: X.cssc-sra
Subject/title: Technical requirements for cloud service supply chain security risk assessment
Status: Under study 
Approval process: TAP
Type of work item: Recommendation
Version: New
Equivalent number: -
Timing: 2028-09 (Medium priority)
Liaison: ITU-T SG13, ISO/IEC JTC1/SC27
Supporting members: CAICT, China Telecom, China Unicom
Summary: Cloud services are provided and operated as continuously delivered services rather than isolated software or infrastructure products. Their provisioning, delivery, operation, maintenance and change rely on the coordinated use of multiple resources, capabilities, components and services provided or supported by different participants. These elements collectively form the supply chain supporting cloud service delivery and operation, and may affect the security, transparency and trustworthiness of cloud services. Compared with traditional software supply chains, which mainly focus on software components, artefacts, development, build and delivery processes, the supply chain for cloud services further involves continuous operation, platform capabilities, runtime dependencies and multi-party responsibilities. This complexity may be further increased when AI capabilities are integrated into cloud services, as they may expand supply objects and service dependencies and introduce additional AI-related interactions. Security risks may therefore arise not only from untrusted suppliers, unverifiable supply objects or vulnerable components, but also from insecure configurations, hidden runtime dependencies, risk propagation through APIs or service interactions, insufficient control of operational changes, and unclear responsibility boundaries. This Recommendation establishes technical requirements for cloud service supply chain security risk assessment. With reference to existing standards and guidance on cloud security, supply chain security and risk management, including ITU-T X.1601, ITU-T X.1055, ISO/IEC 27036 series, and NIST SP 800-161, it describes the supply chain supporting cloud service delivery and operation, analyses related security risks, specifies technical assessment requirements and assessment outputs, and provides an informative assessment workflow to support practical application. It supports stakeholders in conducting more consistent and practical assessment, and in improving the security, transparency and trustworthiness of cloud service delivery.
Comment: -
Reference(s):
  Historic references:
-
Contact(s):
Mi CAO, Editor
Nan MENG, Editor
Hanyu ZHANG, Editor
ITU-T A.5 justification(s):
Generate A.5 drat TD
-
[Submit new A.5 justification ]
See guidelines for creating & submitting ITU-T A.5 justifications
First registration in the WP: 2026-06-10 15:49:08
Last update: 2026-06-10 15:51:03