I found https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf which gives some examples of the SSDF metadata. A simple example of an attestation would be: “In product X we attest that we conform to controls described by NIST.SP.800-218” but there might also be additional evidence to provide like a list of compilers that are used, a verification job that contains a timestamp when updates were checked for and its log files or a link to a document which describes standard build processes as well.
Perhaps some of this is covered in the build profile? Can an external reference link to any type of external file? I won’t be able to make the call tomorrow because of a quarterly conflict but I look forward to this discussion. Thanks in advance, Rose From: Dick Brooks <[email protected]> Date: Monday, April 24, 2023 at 5:39 PM To: Rose Judge <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [spdx-tech] How to model compliance attestations in SPDX 3.0? !! External Email CISA attestation guidance will be posted in the Federal Register shortly. On Apr 24, 2023, at 8:23 PM, Rose Judge via lists.spdx.org <[email protected]> wrote: Hello SPDX tech, How would one begin to track compliance attestations in SPDX 3.0? Can we model information as to evidences for compliance to SSDF controls? Currently the EO is requiring SW providers to self-attest to SSDF practices (https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-attesting), and then provide the SBOM as a companion artifact. Does SPDX allows embedding an attestation in the SBOM itself before signing? Thanks, Rose !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5113): https://lists.spdx.org/g/Spdx-tech/message/5113 Mute This Topic: https://lists.spdx.org/mt/98484102/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
