Secure Supply Chain Consumption Framework (S2C2F) Simplified Requirements This document is provided “as -is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustratio n only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your in ternal reference purposes. Licensed under Community Specification License 1.0 Table of Contents Document Change Record ................................ ................................ ................................ ............................. 3 Introduction ................................ ................................ ................................ ................................ ................... 4 About the Secure Supply Chain Consumption Framework ................................ ................................ ........... 4 What is the Secure Supply Chain Consumption Framework? ................................ ................................ ....... 5 Common OSS Supply Chain Threats ................................ ................................ ................................ .............. 6 Secure Supply Chain Consumption Framework Practices ................................ ................................ ............. 8 Target Audience ................................ ................................ ................................ ................................ ......... 8 Secure Supply Chain Consumption Framework Practices ................................ ................................ ......... 8 The Secure Supply Chain Consumption Framework Implementation Guide ................................ .............. 12 Target Audience ................................ ................................ ................................ ................................ ....... 12 Secure Supply Chain Consumption Framework Levels of Maturity ................................ ........................ 12 How to Assess Where Your Organization is in the Maturity Model? ................................ ...................... 14 Secure Supply Chain Consumption Framework Requirements ................................ ............................... 16 Secure Supply Chain Consumption Framework Tooling Availability ................................ ....................... 18 Implementing the Supply Chain Consumption Framework by Level ................................ ...................... 19 Conclusion ................................ ................................ ................................ ................................ .................... 26 Appendix: Relation to SCITT ................................ ................................ ................................ ........................ 27 Appendix: Mapping Secure Supply Chain Consumption Framework Requirements to Other Specifications ................................ ................................ ................................ ................................ ................................ ..... 27 Appendix: References ................................ ................................ ................................ ................................ .. 29 Document Change Record Date Author Version Change Reference 8/1/20 22 Adrian Diglio (Microsoft) 1.0 Initial release 10/19/2022 Jasmine Wang (Microsoft) 1.1 Resolving GitHub issues #5, #6, #7, #9, #1. Replaced references to "Microsoft OSS SSC Framework" with " Secure Supply Chain Consumption Framework." 7/18/2023 Jasmine Wang (Microsoft) 1.2 Resolving GitHub issues #14, #16, and some of #22. I