FYI: Update an update today from Allan Friedman re: CISA SBOM activities - see email below.
NOTE from Allan: As a reminder, CISA facilitates these open discussions, but the participants shape the agenda. These are also expressly not a forum for discussing USG policy, or offering any kind of advice to CISA. CISA does have sanctioned activities that touch on SBOM matters under the ICT_SCRM Task Force, which are producing Guidance Documents issued by CISA: https://www.cisa.gov/sites/default/files/publications/Securing-SMB-Supply-Ch ains_Resource-Handbook_508.pdf ICT_SCRM Task Force work streams and other information, i.e., task force membership is also available here; the Small and Medium Business Guidebook was published in January 2023: https://www.cisa.gov/resources-tools/groups/ict-supply-chain-risk-management -task-force I work on three ICT_SCRM Task Force work streams: Small and Medium-sized Businesses Working Group Software Assurance Working Group Product Marketing Working Group Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: Friedman, Allan <[email protected]> Sent: Tuesday, March 14, 2023 10:39 AM To: Murphy, Justin <[email protected]>; DOSCHER, MEGAN <[email protected]>; SBOM <[email protected]> Cc: STODDARD, JEREMIAH (CTR) <[email protected]> Subject: CISA SBOM update Dear SBOM community, Over the last few months, the five community-led workstreams on SBOM have been making progress. Below is a quick summary of the focuses, and current activities of each group. As a reminder, CISA facilitates these open discussions, but the participants shape the agenda. These are also expressly not a forum for discussing USG policy, or offering any kind of advice to CISA. If you would like to join any of the mailing lists, please send us a note at <mailto:[email protected]> [email protected]. Please don't hesitate to reach out if you have any questions. allan VEX Monday, 10 AM ET - 11 AM ET (email [email protected] <mailto:[email protected]> for calendar invite) This workstream defines and refines the Vulnerability Exploitability eXchange (VEX) model, which allows attestations on whether a product is affected or not affected by a given vulnerability, and characterize VEX use cases and operations. Current activities: * A completed "Minimum Requirements for VEX" document was finalized by the working group and will be shared on the CISA SBOM page. This document will help support scalable implementations and serve to harmonize expectations. * Next steps: continue working on VEX guidance, including sharing some options for when to issue a VEX. Sharing & Exchanging SBOMs Monday, 12 PM ET - 1 PM ET (email [email protected] <mailto:[email protected]> for calendar invite) The Sharing and Exchanging workstream focuses on the topic of moving SBOMs and related metadata across the software supply chain. The working group discusses how to enable discovery and access, while underscoring the importance of solution interoperability. Current activities: * Exploring specific sharing use cases to better understand sharing requirements. * Simple use cases around software delivery, and a customer asking for an SBOM. * More complex use cases include (1) a multipart supply chain with varying access control and (2) an operational approach to integrate SBOM data into a network with asset management or vulnerability management. On-Ramps & Adoption Tuesday, 12 PM ET - 1 PM ET (email [email protected] <mailto:[email protected]> for calendar invite) The On-Ramps and Adoption workstream focuses on promoting education and awareness to help lower the costs and complexities of Adoption, allowing newer or less mature organizations to provide, request, and use SBOMs to secure and understand their organization's risk. The goal is to meet people where they are, remove barriers, reduce friction, and accelerate adoption. The workstream may define further use cases for SBOM. The final workstream focus is to coordinate efforts across all new and existing SBOM-related workstreams to help in communications as well as help to avoid substantive overlap. Current activities include: * Providing explicit guidance around SBOM use for the acquisition / procurement use case. * How to enable and support organizations asking for SBOMs. * Updating and expanding the SBOM FAQ. Cloud & Online Applications Wednesday, 3 PM ET - 4 PM ET (email [email protected] <mailto:[email protected]> for calendar invite) The Cloud and Online Applications workstream focuses on integrating current understanding around SBOM into the context of online applications and distributed, on-demand infrastructure. Most of the existing discussion around SBOM, particularly around SBOM use cases, has focused on on-premise software. Online, cloud-based applications comprise a large and growing segment of the software ecosystem. It will be important to integrate the current understanding of SBOM with emergent advances in cloud-native technologies to tell better stories about SBOM use cases for cloud and understand how this will be handled across organizational boundaries. Current activities include: * Building guidance on SBOM for SaaS providers and customers * Exploring what transparency looks like for the broader cloud stack * Defining a model of transparency for services to track the transitive graph of online applications' use of third-party services Tooling & Implementation Thursday, 3 PM ET - 4 PM ET (email [email protected] <mailto:[email protected]> for calendar invite) The Tooling and Implementation workstream focuses on opportunities and challenges for automating the SBOM ecosystem. This ecosystem will be driven by a range of accessible and constructive tools and enabling applications, both open source and proprietary. This work will potentially enhance existing SBOM data with further implementation details, encourage interoperability, and foster the advancement and efficiency of the tooling marketplace. Current activities include: * A completed "Types of SBOM Documents" two page overview was finalized by the working group and will be shared on the CISA SBOM page. This document delineates some differences and value between different types of SBOMs (for example,. from source, at build, etc.) that SBOM tools can generate. * A discussion and potential guidance around how to measure and communicate the relative quality of SBOMs. * Beginning to plan public "plugfests" to test and advance interoperability of SBOM tools. You are receiving this email because of interest expressed in CISA's SBOM work. To subscribe or unsubscribe, please contact [email protected] <mailto:[email protected]> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5035): https://lists.spdx.org/g/Spdx-tech/message/5035 Mute This Topic: https://lists.spdx.org/mt/97606426/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
