OASIS Common Security Advisory Framework (CSAF) TC

 View Only

Re: Member Review of Proposed Submission of CSAF V2.0 OASIS Standard to ISO/IEC JTC1 SC 27

  • 1.  Re: Member Review of Proposed Submission of CSAF V2.0 OASIS Standard to ISO/IEC JTC1 SC 27

    Posted 03-24-2023 22:56
    This responds, as a staff comment, to the above request from the CSAF TC. Final determination and confirmation from OASIS will come after the close of the soon-ending member review period, as provided by our rules. Those rules, the proposed submission draft, and the TC's " Submission request to advance CSAF v 2 .0 to an International Standard ", all are linked from the announcement of the member review, sent to this list on 23 February: https://lists.oasis-open.org/archives/oasis-member-discuss/202302/msg00000.html This staff comment clarifies the intended path of submission, because the " Submission request" document mentions *both* ISO/IEC JTC 1, and its SC27 subcommittee on cybersecurity. Under OASIS' PAS qualification, when we ask for approval of a transposed International Standard, the ballot will be sent to the *full* JTC 1 committee. All our prior successful PAS submissions have worked the same way. However, please note, subpanels such as SC27 are not automatically queried and would not themselves also receive that ballot. Thus, any prior consultation that OASIS wishes to conduct with SC27 should *precede* the ballot launch. We believe that consultation is advisable in this case. Once the member comment period closes and its results are reviewed, It is likely to be our staff recommendation that OASIS: first, as usual, produce the final JTC 1 submission package, and share it with the TC, which usually occurs within about 15 days; second, atypically, transmit that package to SC27 as an informal consultation, giving those subcommittee experts a reasonable period of time to raise questions (perhaps 30 days ? ); third, consult the OASIS TC if that produces material new comments or objections, to permit the TC to respond if it wishes; and then fourth, as usual, transmit the package and request a ballot be started. If there are no material comments during step 2, then step 3 becomes unnecessary, and we'd likely send off the ballot request (step 4) immediately after the close of the step 2 consultation. Regards JBC James Bryce Clark, General Counsel, OASIS Open, setting the standard for open collaboration