SBOM's going mainstream - Biden Cybersecurity EO


Kate Stewart
 

Last night Biden signed Executive Order (EO) on Improving the Nation’s Cybersecurity.
As part of this Executive order the concept of SBOM is getting widespread visibility.

If the question comes up please help reinforce that SPDX is a valid recognized SBOM format.
NTIA has recognized 3 SBOM formats able to satisfy the minimum viable requirement for an SBOM, and SPDX is one of them. Current details are available from the last NTIA formats and tooling quarterly checkpoint last month. Also, last month NTIA hosted a plugfest, and all but one, tool was able to create an SPDX SBOM.

The NTIA community has been key to getting SBOM in this EO.  Some of you will remember Allan Friedman from NTIA's presentation to our group last year, as well as Ed Heierman from the HealthCare PoC on what they found using SPDX, so it's very exciting to see this emerge.

Thanks,
Kate




Steve Winslow
 

For those interested -- as a follow-up to Kate's message about the EO, here is an article in ZDNet that mentions several aspects of SPDX and how it addresses objectives of the EO:


Steve

On Thu, May 13, 2021 at 1:36 PM Kate Stewart <kstewart@...> wrote:
Last night Biden signed Executive Order (EO) on Improving the Nation’s Cybersecurity.
As part of this Executive order the concept of SBOM is getting widespread visibility.

If the question comes up please help reinforce that SPDX is a valid recognized SBOM format.
NTIA has recognized 3 SBOM formats able to satisfy the minimum viable requirement for an SBOM, and SPDX is one of them. Current details are available from the last NTIA formats and tooling quarterly checkpoint last month. Also, last month NTIA hosted a plugfest, and all but one, tool was able to create an SPDX SBOM.

The NTIA community has been key to getting SBOM in this EO.  Some of you will remember Allan Friedman from NTIA's presentation to our group last year, as well as Ed Heierman from the HealthCare PoC on what they found using SPDX, so it's very exciting to see this emerge.

Thanks,
Kate





--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Sebastian
 

Dear all,

During today's SPDX Technical Team meeting, the US Government's recent
Executive Order was a major point of discussion! Kate Stewart shared a
link to a blog post from the Linux Foundation regarding the news:

https://linuxfoundation.org/en/blog/how-lf-communities-enable-security-measures-required-by-the-us-executive-order-on-cybersecurity/

There is lots of useful background information and explanation in the
article which I imagine would be of interest to members of this list.

Best wishes,

Sebastian


Phil Odence
 

I’m sure most of you are aware of the executive order by now. The draws attention to SPDX and the LF is keen to show the project in its best light. As such we are adding a page to the website to display logos of companies whose employees participate. Consider this a heads up; we’d love to get your company’s logo up. Instructions will be forthcoming on how to submit.

 

From: spdx@... <spdx@...> on behalf of Sebastian <seabass-labrax@...>
Date: Tuesday, May 18, 2021 at 1:57 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SBOM's going mainstream - Biden Cybersecurity EO

Dear all,

During today's SPDX Technical Team meeting, the US Government's recent
Executive Order was a major point of discussion! Kate Stewart shared a
link to a blog post from the Linux Foundation regarding the news:

https://urldefense.com/v3/__https://linuxfoundation.org/en/blog/how-lf-communities-enable-security-measures-required-by-the-us-executive-order-on-cybersecurity/__;!!A4F2R9G_pg!P49KwL8ZQvN9ngQGdyp9LeHwUOLk_4PKkHwz_zn50tJpvNlsdEIH8qN-aSLELDgf6H8$

There is lots of useful background information and explanation in the
article which I imagine would be of interest to members of this list.

Best wishes,

Sebastian