I'm completely in favor of standards and information models.
However, I'd like to see End of Engineering Support added though (and I don't have time right now to figure out how EOX works - I did look it up once).
EOES was used by Fortinet and another vendor. I was surprised when we saw it with the other vendor and is it skirting our vulnerability policies. The non-Fortinet vendors states with Secure by Design they won't be doing it anymore – I had brought it up to them that it was not acceptable to us, perhaps others did as well.
Asa result of this, we are re-writing our vulnerability policy to ensure that such situations can't happen.
As of three years, Fortinet had this as well. See the links before when I do a google search early in 2024. Perhaps Fortinet doesn't do it anymore - I don't know.
"End of Engineering Support for Software (EOES): The date beyond which Fortinet no longer commits to provide engineering support for software. After this date the software enters a must-fix support phase, during which, maintenance builds will only be produced for industry wide critical issues and PSIRT vulnerabilities. The EOES date is generally 36 months after the GA date."
Might be in:
If it still exists. I don't have access without creating an account.
Kind regards,
--Jade
---------------------
Dr. Jade Stewart, CISSP, PMP
National Information Assurance Partnership (NIAP)
Standards and Certifications
Cybersecurity Collaboration Center
Original Message:
Sent: 10/18/2024 7:00:00 PM
From: Duncan Sparrell
Subject: EoX
Similar to licenses, I propose we use "existing" standards as the basis for the 'End-od-xxx" portion of the information model. The OASIS OpenEoX TC is working on a specification but it is not yet complete. I propose we use their list and definitions. I presume they'll be complete prior to us, but even if they aren't I still think we should use their draft spec was the basis for our information model for EoX information. So I drafted an FAQ to capture the agreement (presuming we'll agree).
I, Duncan Sparrell, move that PR #53 (an FAQ where the EoX list comes from) be approved, and request that if seconded via this list, and no objections received via this list within one week (ie by 25-Oct-2024 7 PM Eastern) , that the motion automatically carry and the maintainers may merge the PRs at their convenience.
------------------------------
Duncan Sparrell
Chief Cyber Curmudgeion
sFractal Consulting LLC
Oakton VA
703-828-8646
------------------------------