NOTE: SBOM is a fundamental requirement in the CISA SAG, along with vulnerability disclosure reports, VDR.
https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acqui sition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf We've tried to make it easy for consumers to check for "Secure by Design" products and vendor practices: Step 1. Download CISA's Software Assurance Guide spreadsheet: https://www.cisa.gov/sites/default/files/2024-08/PDM24064%20Software%20Acqui sition%20Guide%20for%20Government%20Enterprise%20Consumers%20Final-%20202407 10_v19.xlsx Step 2. Send the spreadsheet to your vendors, respectfully asking that vendors complete the spreadsheet and return it. There are only 19 top level yes/no control questions to answer. Step 3. Evaluate the returned spreadsheets to determine which software vendors are following prudent and practical guidance contained in CISA's Software Assurance Guide; https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acqui sition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf Step 4: Decide which vendors and products you're willing to trust, based on risk appetite, risk tolerance and risk threshold. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5686): https://lists.spdx.org/g/Spdx-tech/message/5686 Mute This Topic: https://lists.spdx.org/mt/107674516/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
