Notice:
A Compliance discussion related to CRA will be held during the Hardware and
Supply Chain Working Group Meeting.
This announcement has been sent to multiple groups as a one-time notice.
The group agenda with supporting links is below.
If there are people from other groups (internal or external) that you feel
should attend or would like to attend, please invite them.
Details:
SPDX Hardware and Supply Chain CRA discussion
Weekly
Friday at 8 CST (-6 UTC)
Hardware team minutes: https://spdx.swinslow.net/p/spdx-hardware-minutes
Join Zoom Meeting
https://zoom.us/j/99157617857
Meeting ID: 991 5761 7857

# Agenda

* Review PRs & Topics:

https://github.com/spdx/spdx-3-model/issues/1149#issue

QUDT units.

* Hardware and Supply Chain Group name will remain the same will focus on
Compliance

* Agenda sent to multiple groups: Tech, Threat/Controls, Functional Design,
Security, AI, and Operations.

* Please notify anyone you feel should attend with knowledge related to
compliance and regulatory issues

* Goal

* Define compliance, regulations and policy.

* The goal is to create a method for compliance.

* Establish criterial to define example and methods to adhere to compliance.

* Agree upon a criteria for validation of the requirements, examples and
solution outlines

* Objectives

* Agree upon compliance examples such as CRA

* Create an outline document/spreadsheet with requirements, examples and
solution outlines

*  Define method for using SPDX data and tools to provide or link data to
requirements

## Links and background

* CRA Mapping Example Outline:

Example

Implementing AI Bill of Materials (AI BOM) with SPDX 3.0: A Comprehensive
Guide to Creating AI and Dataset Bill of Materials.

https://www.linuxfoundation.org/hubfs/LF%20Research/lfr_spdx_aibom_102524a.pdf?hsLang=en


Cyber Resilience Act Requirements Standards Mapping

https://www.enisa.europa.eu/sites/default/files/2024-11/Cyber%20Resilience%20Act%20Requirements%20Standards%20Mapping%20-%20final_with_identifiers_0.pdf

Review the proposed goals and objectives of CRA Mapping Example (link below)

https://docs.google.com/document/d/1didhLnnap9aucov87B51Hv7dwNKr8PwLoIilJDq6gCE/edit?usp=sharing

* Discuss CRA mapping ideas and the document developed by Greg

https://docs.google.com/document/d/1t-L2yt-zYLT3mtWC63Dy0PCl0G52NTJhsV_P26BV9oo/edit?tab=t.0


* Git Repository PR written to deal with the CRA map

https://github.com/gregshue/spdx-examples/tree/conformanceexamples/conformance/example1/content/src


* Engineering requirements vs SPDX - add questions to main document
https://docs.google.com/document/d/1t-L2yt-zYLT3mtWC63Dy0PCl0G52NTJhsV_P26BV9oo/edit?tab=t.0


* Kate related to Zehyr
https://www.enisa.europa.eu/sites/default/files/2024-11/Cyber%20Resilience%20Act%20Requirements%20Standards%20Mapping%20-%20final_with_identifiers_0.pdf

* Manufacturers becoming aware of the CRA and vulnerabilities (OSS)
https://osseu2025.sched.com/event/25VnL/zephyr-evolving-to-cra-readiness-kate-stewart-the-linux-foundation



Alfred Strauch
President
Smart Talk Beacon Solutions Ltd.

Email: [email protected]
Web: www.smarttalkbeacon.com

 [image: Security: The Value of SBOMs | Flux]

Confidentiality and Disclaimer: The information in this transmission may be
confidential and/or protected by legal professional privilege, and is
intended only for the person or persons to whom it is addressed. If you are
not such a person, you are warned that any disclosure, copying or
dissemination of the information is unauthorized  If you have received the
transmission in error, please immediately contact this Office by telephone
or email, to inform us of the error and to enable arrangements to be made
for the destruction of the transmission, or its return at our cost. No
liability is accepted for any unauthorized use of the information contained
in this transmission.
If the transmission contains advice, the advice is based on instructions in
relation to, and is provided to the addressee in connection with, the
matter mentioned above. Responsibility is not accepted for reliance upon it
by any other person or for any other purpose.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6029): https://lists.spdx.org/g/Spdx-tech/message/6029
Mute This Topic: https://lists.spdx.org/mt/116264397/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to