This is the Trace Id: 2df8fd1e2054cf23239ac9c82fa59b24

Secure Supply Chain Consumption Framework (S2C2F)

The Secure Supply Chain Consumption Framework (S2C2F) is a security assurance and risk reduction process that is focused on securing how developers consume open source software.

Who is this intended for? This is a consumption-focused secure supply chain framework using a threat-based risk-reduction approach. The S2C2F aims to prevent the consumption of compromised and malicious OSS packages, and decrease the Mean Time To Remediate (MTTR) for addressing known vulnerabilities in OSS. The S2C2F provides security guidance and tools throughout the developer inner-loop and outer-loop processes. 

The OpenSSF S2C2F is based on three core concepts—control all artifact inputs, continuous process improvement, and scale:

Diagram.jpg

Download the guide

The S2C2F is a combination of processes and tools for any organization to adopt, along with a capability maturity roadmap to help establish a secure OSS ingestion process to protect developers from OSS Supply Chain threats, and to establish a governance program to manage your organization’s use of OSS.