I will be providing an overview of the CISA Software Acquisition Guide Vulnerability Management chapter to the OpenSSF team working on EU CRA standards.
https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf
“NIST SP 800-161r1 RA-5 and “NIST Guidance” as specified in OMB M-22-18, call for the issuance of vulnerability disclosure reports (VDR) as an attestation showing that a software supplier has checked each component in a software product SBOM for vulnerabilities and reports the status of each vulnerability discovered, following recommendations for coordinate vulnerability disclosure programs contained in IEC 29147:2018. A VDR is a machine-readable artifact and is considered a “product centric” artifact. A VDR is issued simultaneously with a SBOM at product release and remains online as a living document. It is updated by the software supplier when new vulnerabilities affect the product to which the VDR is attesting. This enables a consumer to know if the software product is affected when a new vulnerability is reported.”
The NIST standards for vulnerability reporting, which the CISA Software Acquisition Guide adopts, are based on IEC 29147:2018, which is a harmonized EU standard for vulnerability reporting.
FYI: VEX is not a harmonized EU standard, to my knowledge. Can someone please confirm my understanding.
I will be happy to provide the same talk (15 minutes) I’m delivering to the OpenSSF to the Eclipse ORCWG also, if interested. Just let me know.
Thanks,
Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788