Cybertrust Announces Vision for Trust Infrastructure Targeting Critical Infrastructure Supply Chains in the AI Era

Cybertrust Co., Ltd. (Headquarters: Minato-ku, Tokyo; President and CEO: Yuji Kitamura; hereinafter 'Cybertrust') announces the 'Vision for Trust Infrastructure Targeting Critical Infrastructure Supply Chains in the AI Era' (hereinafter 'this initiative') to support the IT infrastructure operations of critical infrastructure in the AI era.

This initiative is based on the concept that AI reliability is enhanced through software transparency (platform services) and data authenticity (trust services). By integrating the two core services Cybertrust has offered since its founding, the company aims to realize a foundation enabling critical infrastructure operators to securely and continuously manage their IT infrastructure even in the AI era.

As the first step of this initiative, Cybertrust will collaborate with Dark Sky Technology, Inc. (Headquarters: Fort Collins, Colorado, USA; CEO: Michael Mehlberg; hereinafter 'Dark Sky') to sequentially launch the 'OSS Compliance Certification Service' from September 2026 onward, targeting critical IT systems and embedded products.
This service will support the establishment of OSS acceptance criteria, evaluation of SBOMs and OSS configuration information, vulnerability response decisions, and the creation of reports for audits and customer explanations.

■ Background of the Initiative

In software development and operations, the use of AI for code generation, suggesting additions or modifications to OSS, and operational tasks is expanding.
However, in critical infrastructure, code or configuration changes generated or proposed by AI, or the addition of OSS, cannot be used as-is. There is a need for continuous verification and explanation of software composition, OSS provenance and maintenance status, justification for vulnerability responses, change history, and audit trails.

As AI adoption grows, critical infrastructure operators require mechanisms to continuously manage the software foundation supporting AI and their OSS usage.

In Japan, the Ministry of Economy, Trade and Industry (METI) and the National Cybersecurity Strategy Office of the Cabinet Secretariat will establish the 'Guidelines on Roles and Responsibilities for Cyber Infrastructure Operators' in March 2026, outlining a framework for software developers, suppliers, operators, and their customers to recognize their shared responsibility for security across the entire supply chain※1.

Cybertrust is advancing this initiative in response to these market conditions and domestic and international guidelines, aiming to support the continuous operation and management of IT infrastructure required for critical infrastructure in the AI era.

■ About the Trust Infrastructure Vision

The trust infrastructure in this initiative refers to a concept of continuously managing, across the entire lifecycle, the IT infrastructure, OS, OSS, software configuration information, vulnerability responses, and operational audit trails that support critical infrastructure.
In the AI era, while software development and operations accelerate, it is necessary to maintain a continuously explainable state regarding the OSS used, code generated, patches applied, and operational decisions made.
Furthermore, as the use of AI agents and AI-generated data progresses, international standardization discussions on authentication, authorization, and data authenticity are advancing. In particular, for critical infrastructure, compliance with frameworks such as ICAM, ABAC, and IPSIE※2 is also important.

Cybertrust will leverage its expertise cultivated through MIRACLE LINUX, AlmaLinux, and EMLinux—including long-term maintenance of Linux/OSS, embedded Linux development, contributions to OSS communities, and SBOM operations—and integrate it with its knowledge in trust services related to authentication, authorization, and data authenticity, aiming to realize the trust infrastructure required for critical infrastructure in the AI era.

■ First Initiative: Collaboration with Dark Sky Technology

As the first step of this initiative, Cybertrust will collaborate with Dark Sky to support the safe and continuous operation of OSS for critical infrastructure.
This service combines Dark Sky’s software supply chain security platform 'Bulletproof Trust' with Cybertrust’s expertise in long-term Linux/OSS maintenance, embedded Linux development, SBOM operations, and domestic support.

Bulletproof Trust supports SBOM management, health assessment of OSS packages and risk assessment of dependencies, threat intelligence, and audit trail management. This ensures that each package’s health is verified before OSS usage begins, keeping the development environment secure at all times. It also enables continuous evaluation and management of OSS risks from development through post-release operations.

Cybertrust will provide support for domestic customer onboarding, OSS operational design, and audit and customer explanation support. By combining their respective expertise, both companies will support the safe and continuous operation of OSS in critical infrastructure.

■ About the OSS Compliance Certification Service

The 'OSS Compliance Certification Service' is a service that supports operations in which OSS usage is not merely adopted, but decisions on whether to use OSS and response policies are made before use, during use, and upon vulnerability discovery, with justifications clearly documented and explainable.

This service primarily supports:

- Establishment of OSS acceptance criteria and operational policies
- Evaluation of SBOMs and OSS configuration information
- Verification of OSS maintenance status, vulnerabilities, licenses, and development community risks
- Prioritization of vulnerability responses
- Documentation of justifications for exception decisions and continued use
- Support for creating reports for audits and customer explanations

Simply creating an SBOM does not equate to secure OSS operation. The key is to use SBOMs and OSS configuration information to determine which OSS can be used, which require additional review, which should be avoided, and which may be exceptionally permitted, and to document the reasons. Cybertrust and Dark Sky will position this operation as the 'OSS Compliance Certification Service' and provide it to prime vendors involved in critical IT systems and embedded products.

■ Future Developments

Cybertrust will progressively expand its trust infrastructure initiatives targeting critical infrastructure supply chains, centered on this vision.
First, through collaboration with Dark Sky, the company will advance the service offering for prime vendors involved in critical IT systems and embedded products, including establishing OSS acceptance criteria, SBOM evaluation, vulnerability response decisions, and audit report support.

For critical IT systems, starting with OSS acceptance evaluation, configuration information assessment, and audit explanation support based on existing development and operational environments, expansion to automation will be considered as needed.

For embedded products, expansion will be considered to include information management across development and operational processes—such as CI, build artifact management, and test result management—in coordination with EMLinux and EMLinux Custom Maintenance Services.

In the future, the company aims to realize an operational management foundation enabling critical infrastructure operators to safely continue using OSS in the AI era, incorporating mechanisms for reviewing AI-generated code and modification suggestions, assessing the real-world impact and necessity of responses to detected vulnerabilities, and managing signed audit trails. Additionally, Cybertrust will continue to develop trust services aligned with international standardization trends in authentication, authorization, and data authenticity.