Just in case you're wondering where DHS stands, it has officially endorsed CSAF VEX;
https://downloads.regulations.gov/CISA-2023-0001-0062/attachment_1.pdf "In the paper below (Consolidated.SBOM.CSAF.VEX.Operational.Framework), we summarized the most pressing points regarding the implementation of Office of Management and Budget's (OMB's) memorandum M-22-18 ("the Memo" or "M-22-18") surrounding Software Bill of Materials (SBOM) and the Vulnerability Exploitation eXchange (VEX)." No mention of NIST SBOM VDR in the DHS document. Very interesting. I think someone should remind Mr. Costello that OMB M-22-18 emphasizes the use of NIST standards when referring to "NIST Guidance" in M-22-18 and there is NO MENTION of VEX in M-22-18. CSAF VEX is a standard being developed by a European agency. I'm perplexed, why the US Government is NOT supporting the Cybersecurity standards developed by NIST, per OMB M-22-18 requirements. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5196): https://lists.spdx.org/g/Spdx-tech/message/5196 Mute This Topic: https://lists.spdx.org/mt/99721483/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
