[open-regulatory-compliance] Now that technical standards work has been

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration

From: "Dick Brooks" <dick@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 8 Feb 2025 12:07:37 -0500
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
Feedback-id: i99214975:Fastmail
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
Organization: Business Cyber Guardian
Thread-index: Adt6RzWhn8Y4NpqRQjGfHGDX4tP6GQ==

Hello Everyone,

Now that the EU CRA Technical Standards work has begun I wanted to share some information for consideration.

This is not a proposal, it is simply to raise awareness of some existing technical recommendations for software manufacturers to follow when selling products to the US Government produced in a public-private partnership under DHS CISA by the ICT_SCRM Task Force membership;

https://www.cisa.gov/ict-scrm-task-force-members

Guide: https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf

Spreadsheet: https://www.cisa.gov/sites/default/files/2024-08/PDM24064%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20Consumers%20Final-%2020240710_v19.xlsx

FAQ: https://www.cisa.gov/sites/default/files/2024-10/ICT%20SCRM%20Task%20Force%20Software%20Acquisition%20Guide%20Fact%20Sheet%20%28508%29.pdf

Additional information is provided by the US NASA regarding their SCRM software risk assessment processing expectations:

https://www.nasa.gov/secure-software-development-self-attestation-resources-and-knowledge/

The EU CRA identifies technical expectations such as SBOM and vulnerability disclosure reporting, which overlap with expectations identified by the US CISA organization for Secure by Design and Secure by Default implementations in its Software Acquisition Guide for US Federal Agencies to procure and use only trustworthy software products. https://cisa.gov/sag

With regard to SBOM requirements:

The CISA Software Acquisition Guide contains several specific expectations for SBOM artifacts and the use of open source software components in commercial products:

CONTROL.GOV.08
CONTROL.GOV.09
CONTROL.SC.02
CONTROL.SC.08
https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

With regard to Vulnerability Management requirements, including before a product is released to market and ongoing notifications:

There is an entire chapter devoted to Vulnerability Management expectations titled “VULNERABILITY MANAGEMENT CONTROLS”
Recommends use of standards for coordinated vulnerability processing and notification following NIST recommendations: https://www.iso.org/obp/ui/#iso:std:iso-iec:29147:ed-2:v1:en
CONTROL.VULN.01 thru CONTROL.VULN.08
Supports attestation requirements for vulnerability reporting (item 4) required by US Government Agencies in the CISA Secure Software Attestation Form i.e. “Common Form”;
https://www.nasa.gov/wp-content/uploads/2024/08/nasa-approved-self-attestation-common-form.docx?emrc=d91d18

The CISA spreadsheet artifact was designed to acquire software vendor insights into Secure by Design and Secure by Default technical practices followed by a software supplier.

Thanks,

Dick Brooks