Very encouraging language in the EU CRA for SBOM adoption and vulnerability monitoring/reporting.
https://data.consilium.europa.eu/doc/document/ST-11726-2023-INIT/en/pdf (37) In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials. A software bill of materials can provide those who manufacture, purchase, and operate software with information that enhances their understanding of the supply chain, which has multiple benefits, most notably it helps manufacturers and users to track known newly emerged vulnerabilities and risks. It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties. VULNERABILITY HANDLING REQUIREMENTS Manufacturers of the products with digital elements shall: 1. identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product CONTENTS OF THE TECHNICAL DOCUMENTATION a description of the design, development and production of the product and vulnerability handling processes, including: (a) complete information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and/or a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; (b) complete information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; NIST recommends using the IEC 29147:2018 standard for vulnerability disclosure reporting (the SPDX V 2.3 Spec appendix K.1.9 covers these NIST recommendations <https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vu lnerability-report-for-a-software-product-per-nist-executive-order-14028> ) this is also supported by the CycloneDX spec V 1.4 VDR <https://owasp.org/blog/2023/02/07/vdr-vex-comparison> : https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecuri ty/software-security-supply-chains-software-1 AND https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecuri ty/software-security-supply-chains-0 I've written about how to use SBOM to monitor for software vulnerability risks using a proactive "Left of Bang" approach, that seems to align well with the EU CRA language: https://energycentral.com/c/iu/how-use-sbom-software-vulnerability-monitorin g Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1714): https://lists.spdx.org/g/spdx/message/1714 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
