Supply Chain Security

Software Supply Chain Security

In recent years, alongside license compliance, security vulnerability management and software supply chain security have emerged as critical challenges in the open source ecosystem. As regulations tighten in the United States and Europe, SBOM (Software Bill of Materials) management and systematic vulnerability response have become essential.

To strengthen the transparency and security of its software supply chain, SK Telecom has established a systematic management process and provides guidelines that both internal members and suppliers must comply with.

Guide Structure

Supply Chain Security Overview

Explains why supply chain security matters, the global regulatory landscape, and SK Telecom’s supply chain security policy.

SBOM Management

Provides a technical guide for both internal members and suppliers on what an SBOM is and how to generate and manage one.

Supplier Guide

Provides SBOM submission requirements and a generation guide for suppliers that deliver software to SK Telecom.

Key Standards and Specifications

• ISO/IEC 18974: OpenChain Security Assurance Specification
• SPDX (ISO/IEC 5962): Software package data exchange standard
• CycloneDX: Security-focused SBOM standard
• NIST SSDF: Software supply chain security framework

For related regulatory trends (U.S. EO 14028, the EU Cyber Resilience Act, etc.), see the Regulatory Trends page.

Contact

If you have any questions regarding supply chain security, please refer to the following.

• Supply chain security policy inquiries: opensource@sktelecom.com
• SBOM submission: Contact your business unit and security team representatives (see Submission Process)