Thanks for clarifying Bob. The Federal Register announcement also contains some interesting requests for feedback to some questions the SBOM community has been discussing for years:
How should SBOMs be collected from contractors? What specific protections are necessary for the information contained within an SBOM? * How should the Government think about the appropriate scope of the requirement on contractors to provide SBOMs to ensure appropriate security? * What challenges will contractors face in the development of SBOMs? What challenges are unique to software resellers? What challenges exist regarding legacy software? * What are the appropriate means of evaluating when an SBOM must be updated based on changes in a new build or major release? * What is the appropriate balance between the Government and the contractor, when monitoring SBOMs for embedded software vulnerabilities as they are discovered? FYI: IETF SCITT successfully demonstrated one solution for SBOM distribution during the Hackathon in July: https://energycentral.com/c/iu/international-trust-registry-demonstration-success Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Martin, Robert A Sent: Tuesday, October 3, 2023 11:36 AM To: [email protected] Subject: Re: [spdx-tech] Significant announcement from DOD regarding SBOM Hi Dick, Little clarification - this is a proposed FAR change coming from DoD, GSA, and NASA. If implemented after the public comment period this would be in affect for all government procurements in both the military and civilian sides of government. Comments due 4 December 2023 here <http://www.regulations.gov/commenton/FAR-2021-0017-0001> . Bob Robert (Bob) Martin Sr. Software and Supply Chain Assurance Principal Eng. Cross Cutting Solutions and Innovation Dept Cyber Solutions Innovation Center MITRE Labs MITRE Corporation 781-271-3001o 781-424-4095c On 10/3/23 11:10 AM, Dick Brooks wrote: FYI: Today, DoD issued guidance regarding SBOM requirements and vulnerability reporting: https: //www. federalregister. gov/documents/2023/10/03/2023-21328/federal-acquisition-regulation-cyber-threat-and-incident-reporting-and-information-sharing FYI: Today, DoD issued guidance regarding SBOM requirements and vulnerability reporting: https://www.federalregister.gov/documents/2023/10/03/2023-21328/federal-acquisition-regulation-cyber-threat-and-incident-reporting-and-information-sharing Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5369): https://lists.spdx.org/g/Spdx-tech/message/5369 Mute This Topic: https://lists.spdx.org/mt/101735802/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
