CORRECTION
My apologies, this endorsement for CSAF VEX if NOT from DHS, but a coalition supporting OASIS. Please accept my apologies for this misunderstanding. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Dick Brooks Sent: Friday, June 23, 2023 12:14 PM To: 'SPDX Technical Mailing List' <[email protected]> Cc: [email protected] Subject: [spdx-tech] DHS formally endorses CSAF VEX Just in case you're wondering where DHS stands, it has officially endorsed CSAF VEX; https://downloads.regulations.gov/CISA-2023-0001-0062/attachment_1.pdf "In the paper below (Consolidated.SBOM.CSAF.VEX.Operational.Framework), we summarized the most pressing points regarding the implementation of Office of Management and Budget's (OMB's) memorandum M-22-18 ("the Memo" or "M-22-18") surrounding Software Bill of Materials (SBOM) and the Vulnerability Exploitation eXchange (VEX)." No mention of NIST SBOM VDR in the DHS document. Very interesting. I think someone should remind Mr. Costello that OMB M-22-18 emphasizes the use of NIST standards when referring to "NIST Guidance" in M-22-18 and there is NO MENTION of VEX in M-22-18. CSAF VEX is a standard being developed by a European agency. I'm perplexed, why the US Government is NOT supporting the Cybersecurity standards developed by NIST, per OMB M-22-18 requirements. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5197): https://lists.spdx.org/g/Spdx-tech/message/5197 Mute This Topic: https://lists.spdx.org/mt/99721483/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
