Excellent point, Charlie. This is what happens when Joanne has a golf tournament and I'm not included.
Totally agree NDAA != 14028, but there is considerable overlap in the requirements. FYI: I've had conversations with BSA and ITI this week to show them what's possible today with SBOM and vulnerability monitoring by consumers. Software consumers bear all the risk of cyber-attacks and software vendors could show more empathy for the plight of these consumers by giving them an SBOM so they can monitor for risk in installed components, when new vulnerabilities are reported. The optics of resistance to this one small, but meaningful gesture, are putting software vendors in a position of appearing like they don't care about what happens to their customers - and that would not be good. The new OMB directives will help consumers get the visibility they deserve and need, IMO. I continue to reach out to our BSA and ITI colleagues and others in the SBOM community to collaborate on the implementation of NIST EO 14028 recommendations in the OMB memo. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: Hart, Charlie <[email protected]> Sent: Saturday, September 17, 2022 1:15 PM To: [email protected]; 'SPDX Technical Mailing List' <[email protected]>; [email protected] Cc: 'scrm-nist' <[email protected]>; 'swsupplychain-eo' <[email protected]> Subject: Re: [EXT][SCITT] Just want to raise your awareness to some FUD from BSA and ITI making the rounds Both Dick and I need hobbies for sure. That letter is commenting on the NDAA, which is separate from 14028. I don't know much about it. I think BSA and ITI were taken by surprise at the groundswell for SBOMs and are now scrambling to get some order in the household. One thing that might account for the late push:14028 can be waived by the EOP any time for procurement of something problematic, NDAA if passed will be somewhat unavaoidable. The threat of USG not getting access to top software immediately made me think: Palantir wrote this. Charlie _____ From: SCITT <[email protected] <mailto:[email protected]> > on behalf of Dick Brooks <[email protected] <mailto:[email protected]> > Sent: Saturday, September 17, 2022 1:04 PM To: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> >; 'SPDX Technical Mailing List' <[email protected] <mailto:[email protected]> > Cc: 'scrm-nist' <[email protected] <mailto:[email protected]> >; 'swsupplychain-eo' <[email protected] <mailto:[email protected]> > Subject: [EXT][SCITT] Just want to raise your awareness to some FUD from BSA and ITI making the rounds FYI: https://www.linkedin.com/posts/richard-dick-brooks-8078241_iti-and-bsa-lette r-opposing-sbom-and-nist-activity-6976931523883065344-0J8-/?utm_source=share &utm_medium=member_desktop Good to know the SCITT use case for SBOM that we've been discussing aligns more closely with NIST and White House views, and OMB directives, on software supply chain practices: https://www.linkedin.com/posts/richard-dick-brooks-8078241_omb-memo-outlinin g-secure-software-supply-ugcPost-6976939817175523328-DtfI?utm_source=share&u tm_medium=member_desktop Link to the SCITT SBOM Use Case and presentation are here: https://hackmd.io/QuqKhy_bQ1qG9yyyBuEABg?view <https://secure-web.cisco.com/1oDUkoUreJBCcO4THGXOW5mjanl1lUsaYZ1lZSy5mIJ59C gsCRO6vnfm7fOQlk_w4sp3BSxhM1hhbmop1cb-ZkyqjHWWeVnZwY6F2WSwQMKvAhmA-CNIv_igSy 5zaEjFMcraFn6m20LS9JHc8JTIiquvlo11fFDzArcG5uP5QM5emsPYK_8di0tP0kR2QQoxD4JaVj 6l-Bv5neGDmLJJzSPBDTiPlO0UyZlO2GS0BRHUcBT6lN5l3Pdy29HfGb4qVVgpbS9GaEt8DpPr9J 6Z2Pp7ASOlRy1CUeLBWX_Ebm-eixpJ67raMEZ3CnL2LI-z8G28EnKRwssPgFh5Ix3a9sA/https% 3A%2F%2Fhackmd.io%2FQuqKhy_bQ1qG9yyyBuEABg%3Fview> Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://secure-web.cisco.com/19oPJam38OD7fRalXvhNHPhhRg9XH2BUbaCdkUjZGV0AQe T6bMY1cjSdQuFwH1BOM3fevKv9VB88F-Uw7bvd2QOoAofmbyq4hiLpbpO-dYFCzUa5FVr6NZu9s1 QNGz0qlh3Ia7Dw864_MQic_qeBBF76tr9_5peXjqjENV_YjvkSNuq3Os4t-ws1Yn559oFOgQsQMX FYLFtHew8wj-toPGl9qK4cdDmwuNA-QjeEJ32g0eVfS0hM7lIumGRdPr6RIY9C2Q24MVAL3ZjqlC v1hOgIIBmfc1zNZUGq1hCnwiMU0ryjjtmHJh1XwquM7DTJq/https%3A%2F%2Freliableenergy analytics.com%2Fproducts> Never trust software, always verify and report! T <http://secure-web.cisco.com/16tyFAARTuqwCV5PS9o2-18J2K3m5YfUJE0w0WyPQqKbT7V rz56KknyltisjxguKyMooWldAq4FRwkE911CUQ641pntPIrUogCExcDAdFGA4jsM64sAYGXYizEV rinZGerJzZv30aSjm1HIDBVBKDFbIrjXUb_x4eae9y9XrJHVmVIODrAXjiMnBONglNXRF5vx5ukJ dKfXyQX8URipXPujxnhykX6OXgAO8i9Z-7roE8xBM6gwBNn0rw2zNlaEeFxoHR9VfsqC3Dl_Y2VV iNCmiSRadiyRXvYbt7hFNgKFxSbMLOMOBRBNXwRkl4OQ4_/http%3A%2F%2Fwww.reliableener gyanalytics.com%2F> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4783): https://lists.spdx.org/g/Spdx-tech/message/4783 Mute This Topic: https://lists.spdx.org/mt/93747217/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
