Just an FYI:
Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work
Stream, which is developing guidance for Federal Procurement Offers with
regard to OMB M-22-18 and EO 14028.
Today, I shared this information with the group, based on our discussions
regarding Supplier semantics. This is a very important topic that we need to
be consistent is referring to when discussing semantics of the software
supply chain.
I welcome your feedback on what I sent to the Task Force earlier, shown
here:
Today, the SPDX SBOM tech team had a very active discussion about the roles
in a software supply chain. There are "at least" three distinctive roles:
1. Supplier
Here is how the NTIA documents describe Supplier, which I
agree with:
https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_
report_0.pdf
REF Page 9:
Supplier Name
The name of an entity that creates, defines, and identifies components.
Supplier refers to the originator or manufacturer of the software component.
No consensus was reached within the SPDX Tech community on
the semantics of "Supplier"
REA agrees with the NTIA definition of Supplier and asserts
that Suppliers produce SBOM's, which are provided to others, i.e. end users,
vendors and distributors
2. Vendor
No consensus was reached within the SPDX Tech community on the semantics of
"Vendor"
REA asserts that a vendor is the party that "transacts" in the purchase/sale
of a software product to an end consumer. A vendor supplies a customer with
a "Vendor Response File
<https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18
-requirements> ". A Systems Integrator is considered a Vendor (not a
supplier)
3. Distributor
No consensus was reached within the SPDX Tech community on the semantics of
"Distributor"
REA asserts that a Distributor is the party that makes a
software product available to others. GitHub is an example of a Distributor.
The Apple Store is a distributor of software products.
As with many concepts in the software supply chain there are many gray
areas. REA has gone on the record recommending that SPDX adopt the NITA
semantics for Supplier in the next release, v 3.0.
"Supplier refers to the originator or manufacturer of the software
component."
It's entirely feasible for a single legal entity to serve in all 3 roles.
This occurs frequently with Microsoft products.
I welcome your thoughts and insights on these 3 roles.
I welcome your thoughts and insights. IMO, we will need to reach a consensus
on the 3 roles identified above, and possibly more as we dig deeper.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership
<https://reliableenergyanalytics.com/products> Never trust software, always
verify and report! T
<http://www.reliableenergyanalytics.com/>
http://www.reliableenergyanalytics.com
Email: <mailto:[email protected]>
[email protected]
Tel: +1 978-696-1788
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5014): https://lists.spdx.org/g/Spdx-tech/message/5014
Mute This Topic: https://lists.spdx.org/mt/97459171/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
