[UPDATE January 22, 2025 President Trump has elected to retain the January 16, 2025 Executive Order 14144 requiring government agencies to procure secure software products, which was originally proposed in Executive Order 13873 issued by President Trump on May 15, 2019. Order 14144 also eludes to a "public" registry of validated, secure products.
[UPDATE My April 15, 2024 slide deck presentation to NASA describing vendor preparations and CISA Secure Software Attestation Form submission using the CISA RSAA portal is now available online along with other resource provided by NASA to help software vendors implement effective Secure by Design and Secure by Default SCRM practices required by the US Government under Executive Order 14028 and OMB M-22-18. The US Coast Guard has also announced plans to create a product "Trust Registry" (approved products list) limiting the products which can be installed on Coast Guard IT and OT systems.
[UPDATE Jan 15, 2024: The EU and US have agreed to collaborate on an international "trust mark", which could be made accessible through an international "Trust Registry", like a "Registry of Deeds as seen in this conceptual "label lookup example" ( displaying an appropriate "Label Type Identifier, of course) Hopefully, colleagues attending #Davos24 will raise the need to provide consumers with a trust anchor and greater visibility (radical transparency) into the need for trustworthy software and IoT devices and other "digital things and supply chains"]
[UPDATE Feb 16, 2024: Apple has announced a "notarization service" that appears to be very similar, in concept, to a Trust Registry]
The Internet Engineering Task Force (IETF) Supply Chain Integrity, Transparency and Trust (SCITT) work group has been working over the past 12 months on the development of an international “Trust Registry” capability for the Software Supply Chain. A SCITT Trust Registry works like a “Registry of Deeds” where only legitimate, trusted information is allowed into a SCITT Trust Registry. Software producers place their Software Supply Chain information into a SCITT Trust Registry, which enables software consumers to retrieve this information from a known trusted source. Just like a “Registry of Deeds” has strict controls to ensure the integrity of the information that goes into the “deeds registry” the same is true for a SCITT Trust Registry. Only legitimate, trusted information is allowed into a SCITT Trust Registry, such as the location of an SBOM, the software Supplier ID of a software product and other information, such as a Vulnerability Disclosure Report (VDR). A link to a Cybersecurity Trust Label can also be placed into the SCITT Trust Registry, giving consumers the ability to “check the trustworthiness of a product”, by clicking a link to the cybersecurity trust label displaying a “trust score” before buying a product. The approach shown in the SCITT demonstration can also support the EU CRA requirements for CE marking stated in Article 22 and the EU-CRA Annex I requirements for "Secure by Default" verification.
This makes it very convenient for consumers to check the trustworthiness of an IoT device or an app in an app store by retrieving the “registered trust label” in a SCITT Trust Registry to see its “trust score”, before buying a product. This concept is similar to the concept that Anne Neuberger described in her “Restaurant Cleanliness Score” analogy during the National Cybersecurity Strategy presentation. Would you eat at a restaurant with a cleanliness score of “F”? Would you buy an IoT device with a “Trust Score” of “F”? I wouldn’t do either of these. A working, production example of a "Trust Label" lookup is available in REA's SAG-CTR(TM) and a QR-code example is available here.
The world of Internet devices (IoT) is international by its very nature. That is why it’s important to have an internationally recognized and approved “Trust Registry” capability that everyone can use, and trust.   A consumer on vacation in Australia can check the trust score of an IoT device that was manufactured in China, before buying, by checking its “Trust Score” in an internationally adopted “Trust Registry”. Regardless of where you are on Earth, an internationally adopted “SCITT Trust Registry” will work exactly the same way, because it is following the internationally developed and adopted IETF SCITT Standard for Trust Registries.
The World Economic Forum has written about the importance of establishing trust as our world continues the march toward digitalization. The potential for deep fakes and “AI” has contributed to the need for people to have a trustworthy means to ascertain the trustworthiness of digital devices and software. That is what a SCITT Trust Registry provides; assurance that the information in the Trust Registry is trustworthy. The UK Government has also released a report indicating the vital need to determine trustworthiness in open source software products, which is an identified gap in the software supply chain.
On July 22, the IETF SCITT work group successfully demonstrated an internationally developed SCITT Trust Registry in San Francisco at the IETF meeting Hackathon. This demonstration showed how a party (software producer) can register a “Trust Statement” into a SCITT Trust Registry listing software supply chain information, including an SBOM and a Cybersecurity Trust Label, for software products and IoT devices, which consumers can use to ascertain the trustworthiness of a product, before buying. The demonstration was a complete success, proving that the concept works as expected. More work remains before the IETF SCITT work will be completed, but the first successful demonstration of a SCITT Trust Registry is good reason to be optimistic in this valuable and important function to help society determine trust in software products and IoT devices, internationally.