Eliot, Just an FYI: The "out of band" approach referred to in the draft, where software vendors provide links to SBOM and Vulnerability Disclosure Reports is described in this article: https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements to meet EO 14028 requirements following NIST Guidance defined in OMB M-22-18 This approach uses an open-source, free to use, "Vendor Response File" format to communicate SBOM and VDR URL information that aligns with NIST Guidance. https://raw.githubusercontent.com/rjb4standards/REA-Products/master/jsonvrf.json Please include a reference to the above article, in the draft, as an option for the out of band approach referenced. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxxxx Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <opsawg-bounces@xxxxxxxx> On Behalf Of Eliot Lear Sent: Monday, March 27, 2023 12:14 PM To: opsawg@xxxxxxxx; Last Call <last-call@xxxxxxxx> Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-15.txt Good morning, good afternoon, and good evening! The below should resolve LC comments. A number of references are corrected, and a paragraph is added to discuss multiple objects being returned. Eliot On 27.03.23 18:12, internet-drafts@xxxxxxxx wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This Internet-Draft is a work item of the Operations and > Management Area Working Group (OPSAWG) WG of the IETF. > > Title : Discovering and Retrieving Software Transparency and Vulnerability Information > Authors : Eliot Lear > Scott Rose > Filename : draft-ietf-opsawg-sbom-access-15.txt > Pages : 20 > Date : 2023-03-27 > > Abstract: > To improve cybersecurity posture, automation is necessary to locate > what software is running on a device, whether that software has known > vulnerabilities, and what, if any recommendations suppliers may have. > This memo extends the MUD YANG model to provide the locations of > software bills of materials (SBOMS) and to vulnerability information. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access-15 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-sbom-acces > s-15 > > Internet-Drafts are also available by rsync at > rsync.ietf.org::internet-drafts > > > _______________________________________________ > OPSAWG mailing list > OPSAWG@xxxxxxxx > https://www.ietf.org/mailman/listinfo/opsawg > _______________________________________________ OPSAWG mailing list OPSAWG@xxxxxxxx https://www.ietf.org/mailman/listinfo/opsawg -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
