Skip main navigation (Press Enter).

Open Supplychain Information Modeling TC

View Only

Back to discussions

Expand all | Collapse all

EoX

Duncan Sparrell10-18-2024 19:00

Similar to licenses, I propose we use "existing" standards as the basis for the 'End-od-xxx" portion ...

Jade Stewart10-20-2024 13:31

I'm completely in favor of standards and information models. However, I'd like to see End of ...

Duncan Sparrell11-04-2024 13:10

I propose this be discussed at next meeting as there as disagreement as to whether to use OpenEoX or ...

1. EoX

Recommend
Duncan Sparrell
Posted 10-18-2024 19:00
Similar to licenses, I propose we use "existing" standards as the basis for the 'End-od-xxx" portion of the information model. The OASIS OpenEoX TC is working on a specification but it is not yet complete. I propose we use their list and definitions. I presume they'll be complete prior to us, but even if they aren't I still think we should use their draft spec was the basis for our information model for EoX information. So I drafted an FAQ to capture the agreement (presuming we'll agree).

I, Duncan Sparrell, move that PR #53 (an FAQ where the EoX list comes from) be approved, and request that if seconded via this list, and no objections received via this list within one week (ie by 25-Oct-2024 7 PM Eastern) , that the motion automatically carry and the maintainers may merge the PRs at their convenience.

------------------------------
Duncan Sparrell
Chief Cyber Curmudgeion
sFractal Consulting LLC
Oakton VA
703-828-8646
------------------------------
2. RE: EoX

Recommend
Jade Stewart
Posted 10-20-2024 13:31
I'm completely in favor of standards and information models.

However, I'd like to see End of Engineering Support added though (and I don't have time right now to figure out how EOX works - I did look it up once).

EOES was used by Fortinet and another vendor. I was surprised when we saw it with the other vendor and is it skirting our vulnerability policies. The non-Fortinet vendors states with Secure by Design they won't be doing it anymore – I had brought it up to them that it was not acceptable to us, perhaps others did as well.

Asa result of this, we are re-writing our vulnerability policy to ensure that such situations can't happen.

As of three years, Fortinet had this as well. See the links before when I do a google search early in 2024. Perhaps Fortinet doesn't do it anymore - I don't know.

https://www.reddit.com/r/fortinet/comments/p5uu9u/fortios_end_of_engineering_support_eoes_date/

"End of Engineering Support for Software (EOES): The date beyond which Fortinet no longer commits to provide engineering support for software. After this date the software enters a must-fix support phase, during which, maintenance builds will only be produced for industry wide critical issues and PSIRT vulnerabilities. The EOES date is generally 36 months after the GA date."

Might be in:

https://support.fortinet.com/Download/Fortinet_Life_Cycle_Policy.pdf

If it still exists. I don't have access without creating an account.

Kind regards,

--Jade

---------------------

Dr. Jade Stewart, CISSP, PMP

National Information Assurance Partnership (NIAP)

Standards and Certifications

Cybersecurity Collaboration Center
3. RE: EoX

Recommend
Duncan Sparrell
Posted 11-04-2024 13:10
I propose this be discussed at next meeting as there as disagreement as to whether to use OpenEoX or make our own set of end-of terms.

------------------------------
Duncan Sparrell
Chief Cyber Curmudgeion
sFractal Consulting LLC
Oakton VA
703-828-8646
------------------------------

Original Message

Powered by Higher Logic

Global message icon