Eliot,
I agree, the BSA letter wasn’t as critical of SBOM as the ITI letter. I’m thinking all of this may be moot now that the State Department Evolve RFP removed all doubt about expectations regarding SBOM delivery to the USG. An SBOM is easy to produce using existing tooling, in many cases. I don’t understand the resistance to providing consumers an SBOM so that they can monitor for new risk/vulnerabilities. On a side note, the Evolve RFP is confused about what VEX is. This is not surprising given the confusing messaging making VEX appear like a CSAF Security Advisory, which it is not, according to Thomas Schmidt. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: Eliot Lear <[email protected]> Sent: Monday, December 5, 2022 9:01 AM To: [email protected]; [email protected]; [email protected] Cc: 'Friedman, Allan' <[email protected]> Subject: Re: [SCITT] Another party claiming that SBOM is bad I think there is some confusion about that letter. Nowhere does it say that "SBOM is bad". The concern is that Congress would specify one way of doing things, the military another, and DISA yet a third. In fact the article specifically says: OMB’s approach reflects a comprehensive government-wide approach that is preferable to congressional mandates directed at one agency that risk prematurely locking in technical and operational approaches for the foreseeable future. Left unchecked, these varying mandates can be expected to conflict in design and execution... In my view, the issue is “when” and “how” not “if”. Eliot On 30.11.22 20:35, Dick Brooks wrote: https://insidecybersecurity.com/share/14118 Wow, some people seem to think this “SBOM thing” looks like the birthchild of communism and the black plague. I don’t understand why people are so afraid of SBOM. It’s just a text file. WAZZUP with that. Allan, looking forward to seeing you on 12/7 at FERC. I filed my testimony today which is very supportive of SBOM, as you can imagine. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4870): https://lists.spdx.org/g/Spdx-tech/message/4870 Mute This Topic: https://lists.spdx.org/mt/95469298/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
