Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[open-regulatory-compliance] Vulnerability Management presentation to OpenSSF work group

I will be providing an overview of the CISA Software Acquisition Guide Vulnerability Management chapter to the OpenSSF team working on EU CRA standards.

https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf

 

“NIST SP 800-161r1 RA-5 and “NIST Guidance” as specified in OMB M-22-18, call for the issuance of vulnerability disclosure reports (VDR) as an attestation showing that a software supplier has checked each component in a software product SBOM for vulnerabilities and reports the status of each vulnerability discovered, following recommendations for coordinate vulnerability disclosure programs contained in IEC 29147:2018. A VDR is a machine-readable artifact and is considered a “product centric” artifact. A VDR is issued simultaneously with a SBOM at product release and remains online as a living document. It is updated by the software supplier when new vulnerabilities affect the product to which the VDR is attesting. This enables a consumer to know if the software product is affected when a new vulnerability is reported.”

 

The NIST standards for vulnerability reporting, which the CISA Software Acquisition Guide adopts, are based on IEC 29147:2018, which is a harmonized EU standard for vulnerability reporting.

 

FYI: VEX is not a harmonized EU standard, to my knowledge. Can someone please confirm my understanding.

 

I will be happy to provide the same talk (15 minutes) I’m delivering to the OpenSSF to the Eclipse ORCWG also, if interested. Just let me know.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

Risk always exists, but trust must be earned and awarded.

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

 

 


Back to the top