Towards a Zero-Trust Supply-Chain Assurance Rubric for ORAN RIC Applications
For operators and developers of O-RAN RIC applications, this provides a structured approach to supply-chain security, but it is a preliminary framework without empirical validation.
The paper proposes a zero-trust supply-chain assurance rubric for O-RAN RIC applications, including a threat model, threat-control-evidence mapping, and an assurance profile. The evaluation is analytical, with empirical measurements left for future work.
Open RAN enables third-party xApps and rApps to be onboarded and updated at operational cadence, creating a software supply chain that spans developers, CI systems, registries, onboarding pipelines, and runtime enforcement points. This preprint proposes a zero-trust supply-chain assurance rubric for O-RAN RIC applications. It makes three contributions: first, an app-centric lifecycle threat model for RIC applications across build, signing, publication, onboarding, runtime, and update or rollback stages; second, a WG11-aligned threat-control-evidence mapping that relates lifecycle threats to O-RAN security baselines and complementary supply-chain evidence; and third, an operator-facing assurance profile that combines secure software development practices, SBOM transparency, and SLSA-style provenance into incremental onboarding levels. Analytical case-study walkthroughs and a minimal evidence-checking workflow illustrate how the rubric can support explicit Accept, Escalate, or Block decisions during RIC app onboarding. The evaluation is intended to assess applicability rather than deployment-scale performance; empirical measurements of operational overhead, decision consistency, and detection coverage are left for future work.