Re: [Last-Call] [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-15.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Eliot,

Just an FYI: The "out of band" approach referred to in the draft, where software vendors provide links to SBOM and Vulnerability Disclosure Reports is described in this article:
https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements  to meet EO 14028 requirements following NIST Guidance defined in OMB M-22-18

This approach uses an open-source, free to use, "Vendor Response File" format to communicate SBOM and VDR URL information that aligns with NIST Guidance.
https://raw.githubusercontent.com/rjb4standards/REA-Products/master/jsonvrf.json

Please include a reference to the above article, in the draft, as an option for the out of band approach referenced. 


Thanks,

Dick Brooks
  
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788

-----Original Message-----
From: OPSAWG <opsawg-bounces@xxxxxxxx> On Behalf Of Eliot Lear
Sent: Monday, March 27, 2023 12:14 PM
To: opsawg@xxxxxxxx; Last Call <last-call@xxxxxxxx>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-15.txt

Good morning, good afternoon, and good evening!

The below should resolve LC comments.  A number of references are corrected, and a paragraph is added to discuss multiple objects being returned.

Eliot

On 27.03.23 18:12, internet-drafts@xxxxxxxx wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories. This Internet-Draft is a work item of the Operations and 
> Management Area Working Group (OPSAWG) WG of the IETF.
>
>     Title           : Discovering and Retrieving Software Transparency and Vulnerability Information
>     Authors         : Eliot Lear
>                       Scott Rose
>     Filename        : draft-ietf-opsawg-sbom-access-15.txt
>     Pages           : 20
>     Date            : 2023-03-27
>
> Abstract:
>     To improve cybersecurity posture, automation is necessary to locate
>     what software is running on a device, whether that software has known
>     vulnerabilities, and what, if any recommendations suppliers may have.
>     This memo extends the MUD YANG model to provide the locations of
>     software bills of materials (SBOMS) and to vulnerability information.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/
>
> There is also an htmlized version available at:
> https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access-15
>
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-sbom-acces
> s-15
>
> Internet-Drafts are also available by rsync at 
> rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/opsawg
>

_______________________________________________
OPSAWG mailing list
OPSAWG@xxxxxxxx
https://www.ietf.org/mailman/listinfo/opsawg

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux