1. Spdx
  2. Messages

Re: [SCITT] [spdx] CISA's proposed attestation form is now available and they are seeking comments

Dick Brooks
 

Thanks for your consideration, Henry.

 

John, is ITI interested in collaborating with the SMB community on this opportunity?

 

There are literally thousands of SMB’s in this space and my list of interested parties continues to grow.

Clearly, there are SMB’s with an interest in collaborating on this matter, which affects all of us.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Henry Young <henryy@...>
Sent: Monday, May 1, 2023 9:31 AM
To: dick@...; ljeanc@...; spdx@...
Cc: scitt@...; John Miller <JMiller@...>
Subject: RE: [SCITT] [spdx] CISA's proposed attestation form is now available and they are seeking comments

 

Dick,

 

Thanks so much for reaching.  I think it is likely that BSA will provide comments to CISA, and while I suspect many of the points we make will be the same, we probably won’t be submitting as part of a multi-association effort.

 

Henry

 

 

Image removed by sender.

Henry Young

Director, Policy

BSA | The Software Alliance

P (202) 266-2522

W bsa.org

Image removed by sender.

Image removed by sender.

Image removed by sender.

Image removed by sender.

 

 

 

 

From: Dick Brooks <dick@...>
Sent: Saturday, April 29, 2023 10:56 AM
To: ljeanc@...; spdx@...
Cc: scitt@...; John Miller <JMiller@...>; Henry Young <henryy@...>
Subject: RE: [SCITT] [spdx] CISA's proposed attestation form is now available and they are seeking comments

 

Thank you Jean, I have added your name to the growing list of parties that have expressed an interest in joining this collaboration.

 

FYI: I’ve also reached out to ITI and BSA to collaborate on this.

 

I see this as a unique opportunity to show that the “Big Guys” (BSA/ITI) and the little SMB’s that produce software are coming together on this very important opportunity to collaborate on an item that affects all of us.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: SCITT <scitt-bounces@...> On Behalf Of L Jean Camp
Sent: Saturday, April 29, 2023 10:20 AM
To: spdx@...
Cc: scitt@...
Subject: Re: [SCITT] [spdx] CISA's proposed attestation form is now available and they are seeking comments

 

I am interested. Also I would like to know if anyone else has any interest in ensuring attestation standards have space to enable cryptographic agility or move towards self attesting addresses?

 

On Sat, Apr 29, 2023 at 9:34 AM Dick Brooks <dick@...> wrote:

FYI: I’m envisioning a similar process to what was used by the SBOM Special Internet Group (SBOM SIG), contained in this filing to NIST:

https://www.nist.gov/document/responses-enhancing-software-supply-chain-security-sbom

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Dick Brooks <dick@...>
Sent: Saturday, April 29, 2023 9:21 AM
To: 'scitt@...' <scitt@...>; 'spdx@...' <spdx@...>
Subject: CISA's proposed attestation form is now available and they are seeking comments

 

Hello Everyone,

 

CISA is seeking comments on their proposed self-attestation form for OMB M-22-18 and EO 14028.

 

Is there any interest in doing a joint comment filing to CISA? Please respond to this email if interested in a collaborative, joint response to CISA.

I’ll be happy to facilitate the response.

information has recently been updated and is now available.

CISA Requests for Comment on Secure Software Self-Attestation Form

04/28/2023 02:00 PM EDT

CISA has issued requests for comment on the Secure Software Self-Attestation Form. CISA, in coordination with the Office of Budget and Management (OMB), released proposed guidance on secure software. This guidance seeks to secure software leveraged by the federal government. CISA expects agencies to use this proposed form to reduce the risk to the federal environment, thereby implementing a standardized process for agencies and software producers that will create transparency on the security of software development efforts.
 
Visit CISA.gov/secure-software-attestation-form for more information and to review the document. The comment period is open until June 26, 2023. CISA is specifically requesting insight on the feasibility, clarity, and usefulness of the document. To submit a comment, click the comment box at the top of Regulations.gov.

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

--

Join spdx@lists.spdx.org to automatically receive all group messages.