No census of the critical open source dependencies underpinning UK government and CNI
DSIT's commissioned research (2025) tells businesses to keep SBOMs, and the NCSC warns of active dependency-compromise attacks and urges organisations to check their dependencies, but the state has never aggregated this picture. There is no inventory of which open source components government services and critical national infrastructure actually depend on, who maintains them, or how healthy they are (contrast the Harvard/Linux Foundation 'Census II' of most-used OSS, and US federal SBOM aggregation under EO 14028). Without this evidence base, neither NCSC prioritisation nor any future UK maintenance fund can be targeted, and ministers can honestly say they don't know what the UK runs on.
You cannot defend or fund what you haven't mapped. A census converts open source risk from anecdote (Log4j surprised everyone) into a ranked, actionable list, and is the analytic precondition for a UK Sovereign Tech Fund.
An NCSC/DSIT-commissioned recurring census aggregating SBOMs across departments and CNI operators, published with criticality and maintainer-health rankings; deliverable by an academic-industry consortium in under a year using existing SCA tooling.
// Build together: Counterparty: NCSC/DSIT commission plus departmental and CNI SBOM access; privileged data outsiders cannot scrape.
Cheap, deliverable within a year on existing tooling, and entirely unowned, this evidence base is the analytic precondition for targeting any maintenance fund or NCSC prioritisation.