Notice: A Compliance discussion related to CRA will be held during the Hardware and Supply Chain Working Group Meeting. This announcement has been sent to multiple groups as a one-time notice. The group agenda with supporting links is below. If there are people from other groups (internal or external) that you feel should attend or would like to attend, please invite them. Details: SPDX Hardware and Supply Chain CRA discussion Weekly Friday at 8 CST (-6 UTC) Hardware team minutes: https://spdx.swinslow.net/p/spdx-hardware-minutes Join Zoom Meeting https://zoom.us/j/99157617857 Meeting ID: 991 5761 7857
# Agenda * Review PRs & Topics: https://github.com/spdx/spdx-3-model/issues/1149#issue QUDT units. * Hardware and Supply Chain Group name will remain the same will focus on Compliance * Agenda sent to multiple groups: Tech, Threat/Controls, Functional Design, Security, AI, and Operations. * Please notify anyone you feel should attend with knowledge related to compliance and regulatory issues * Goal * Define compliance, regulations and policy. * The goal is to create a method for compliance. * Establish criterial to define example and methods to adhere to compliance. * Agree upon a criteria for validation of the requirements, examples and solution outlines * Objectives * Agree upon compliance examples such as CRA * Create an outline document/spreadsheet with requirements, examples and solution outlines * Define method for using SPDX data and tools to provide or link data to requirements ## Links and background * CRA Mapping Example Outline: Example Implementing AI Bill of Materials (AI BOM) with SPDX 3.0: A Comprehensive Guide to Creating AI and Dataset Bill of Materials. https://www.linuxfoundation.org/hubfs/LF%20Research/lfr_spdx_aibom_102524a.pdf?hsLang=en Cyber Resilience Act Requirements Standards Mapping https://www.enisa.europa.eu/sites/default/files/2024-11/Cyber%20Resilience%20Act%20Requirements%20Standards%20Mapping%20-%20final_with_identifiers_0.pdf Review the proposed goals and objectives of CRA Mapping Example (link below) https://docs.google.com/document/d/1didhLnnap9aucov87B51Hv7dwNKr8PwLoIilJDq6gCE/edit?usp=sharing * Discuss CRA mapping ideas and the document developed by Greg https://docs.google.com/document/d/1t-L2yt-zYLT3mtWC63Dy0PCl0G52NTJhsV_P26BV9oo/edit?tab=t.0 * Git Repository PR written to deal with the CRA map https://github.com/gregshue/spdx-examples/tree/conformanceexamples/conformance/example1/content/src * Engineering requirements vs SPDX - add questions to main document https://docs.google.com/document/d/1t-L2yt-zYLT3mtWC63Dy0PCl0G52NTJhsV_P26BV9oo/edit?tab=t.0 * Kate related to Zehyr https://www.enisa.europa.eu/sites/default/files/2024-11/Cyber%20Resilience%20Act%20Requirements%20Standards%20Mapping%20-%20final_with_identifiers_0.pdf * Manufacturers becoming aware of the CRA and vulnerabilities (OSS) https://osseu2025.sched.com/event/25VnL/zephyr-evolving-to-cra-readiness-kate-stewart-the-linux-foundation Alfred Strauch President Smart Talk Beacon Solutions Ltd. Email: [email protected] Web: www.smarttalkbeacon.com [image: Security: The Value of SBOMs | Flux] Confidentiality and Disclaimer: The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorized If you have received the transmission in error, please immediately contact this Office by telephone or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorized use of the information contained in this transmission. If the transmission contains advice, the advice is based on instructions in relation to, and is provided to the addressee in connection with, the matter mentioned above. Responsibility is not accepted for reliance upon it by any other person or for any other purpose. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6029): https://lists.spdx.org/g/Spdx-tech/message/6029 Mute This Topic: https://lists.spdx.org/mt/116264397/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
