|
Work item:
|
X.cssc-sra
|
|
Subject/title:
|
Technical requirements for cloud service supply chain security risk assessment
|
|
Status:
|
Under study
|
|
Approval process:
|
TAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2028-09 (Medium priority)
|
|
Liaison:
|
ITU-T SG13, ISO/IEC JTC1/SC27
|
|
Supporting members:
|
CAICT, China Telecom, China Unicom
|
|
Summary:
|
Cloud services are provided and operated as continuously delivered services rather than isolated software or infrastructure products. Their provisioning, delivery, operation, maintenance and change rely on the coordinated use of multiple resources, capabilities, components and services provided or supported by different participants. These elements collectively form the supply chain supporting cloud service delivery and operation, and may affect the security, transparency and trustworthiness of cloud services.
Compared with traditional software supply chains, which mainly focus on software components, artefacts, development, build and delivery processes, the supply chain for cloud services further involves continuous operation, platform capabilities, runtime dependencies and multi-party responsibilities. This complexity may be further increased when AI capabilities are integrated into cloud services, as they may expand supply objects and service dependencies and introduce additional AI-related interactions. Security risks may therefore arise not only from untrusted suppliers, unverifiable supply objects or vulnerable components, but also from insecure configurations, hidden runtime dependencies, risk propagation through APIs or service interactions, insufficient control of operational changes, and unclear responsibility boundaries.
This Recommendation establishes technical requirements for cloud service supply chain security risk assessment. With reference to existing standards and guidance on cloud security, supply chain security and risk management, including ITU-T X.1601, ITU-T X.1055, ISO/IEC 27036 series, and NIST SP 800-161, it describes the supply chain supporting cloud service delivery and operation, analyses related security risks, specifies technical assessment requirements and assessment outputs, and provides an informative assessment workflow to support practical application. It supports stakeholders in conducting more consistent and practical assessment, and in improving the security, transparency and trustworthiness of cloud service delivery.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2026-06-10 15:49:08
|
|
Last update:
2026-06-10 15:51:03
|
|