Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
FYI:
Please get the word out to restore the SBOM provision in the NDAA.
“I don't see why any member of Congress would want to hamstring their own cybersecurity professionals from monitoring and mitigating software vulnerabilities that are detectable using an SBOM. Members of Congress please help your own cybersecurity professionals that work so hard to keep you and your districts safe from hacker attacks. Restore the SBOM provision in the NDAA.”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Why? GSA is already specifying SBOMs. And is the list to
encourage congressional lobbying?
FYI:
Please get the word out to restore the SBOM provision in the NDAA.
“I don't see why any member of Congress would want to hamstring their own cybersecurity professionals from monitoring and mitigating software vulnerabilities that are detectable using an SBOM. Members of Congress please help your own cybersecurity professionals that work so hard to keep you and your districts safe from hacker attacks. Restore the SBOM provision in the NDAA.”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Eliot,
I’m not familiar with the GSA work you mention. Can you provide a pointer to GSA documents indicating that SBOM’s are required.
I’ve seen where SBOM’s are required in the Department of State Evolve RFP.
Also, why would ITI and others be lobbying Congress to have SBOM removed from the NDAA, as the linked article indicates.
There must be a reason. I suspect it’s because Congress creates laws, and the NDAA law makes SBOM a legal requirement.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Sent: Friday, December 16, 2022 4:13 PM
To: spdx@...
Subject: Re: [spdx] Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Why? GSA is already specifying SBOMs. And is the list to encourage congressional lobbying?
On 16.12.22 20:38, Dick Brooks wrote:
FYI:
Please get the word out to restore the SBOM provision in the NDAA.
“I don't see why any member of Congress would want to hamstring their own cybersecurity professionals from monitoring and mitigating software vulnerabilities that are detectable using an SBOM. Members of Congress please help your own cybersecurity professionals that work so hard to keep you and your districts safe from hacker attacks. Restore the SBOM provision in the NDAA.”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Eliot,
I’m not familiar with the GSA work you mention. Can you provide a pointer to GSA documents indicating that SBOM’s are required.
I’ve seen where SBOM’s are required in the Department of State Evolve RFP.
Also, why would ITI and others be lobbying Congress to have SBOM removed from the NDAA, as the linked article indicates.
There must be a reason. I suspect it’s because Congress creates laws, and the NDAA law makes SBOM a legal requirement.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Why? GSA is already specifying SBOMs. And is the list to encourage congressional lobbying?
On 16.12.22 20:38, Dick Brooks wrote:
FYI:
Please get the word out to restore the SBOM provision in the NDAA.
“I don't see why any member of Congress would want to hamstring their own cybersecurity professionals from monitoring and mitigating software vulnerabilities that are detectable using an SBOM. Members of Congress please help your own cybersecurity professionals that work so hard to keep you and your districts safe from hacker attacks. Restore the SBOM provision in the NDAA.”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
It’s all moot now. The bill passed the House and Senate today and is on it’s way to the President’s desk.
https://www.congress.gov/bill/117th-congress/house-bill/7776/text
All of the software supply chain provisions have been gutted in the final NDAA.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Sent: Friday, December 16, 2022 5:43 PM
To: spdx@...
Subject: Re: [spdx] Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
You shared this previously https://insidecybersecurity.com/share/14118
I think that's a significant reason. And even as a proponent / agitator of SBOMs myself, I find the arguments they lay out compelling as we sit right now.
On Fri, Dec 16, 2022 at 4:33 PM Dick Brooks <dick@...> wrote:
Eliot,
I’m not familiar with the GSA work you mention. Can you provide a pointer to GSA documents indicating that SBOM’s are required.
I’ve seen where SBOM’s are required in the Department of State Evolve RFP.
Also, why would ITI and others be lobbying Congress to have SBOM removed from the NDAA, as the linked article indicates.
There must be a reason. I suspect it’s because Congress creates laws, and the NDAA law makes SBOM a legal requirement.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Why? GSA is already specifying SBOMs. And is the list to encourage congressional lobbying?
On 16.12.22 20:38, Dick Brooks wrote:
FYI:
Please get the word out to restore the SBOM provision in the NDAA.
“I don't see why any member of Congress would want to hamstring their own cybersecurity professionals from monitoring and mitigating software vulnerabilities that are detectable using an SBOM. Members of Congress please help your own cybersecurity professionals that work so hard to keep you and your districts safe from hacker attacks. Restore the SBOM provision in the NDAA.”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
