Open Supplychain Information Modeling TC

 View Only
  • 1.  EoX

    Posted 10-18-2024 19:00

    Similar to licenses, I propose we use "existing" standards as the basis for the 'End-od-xxx"  portion of the information model. The OASIS OpenEoX TC is working on a specification but it is not yet complete. I propose we use their list and definitions. I presume they'll be complete prior to us, but even if they aren't I still think we should use their draft spec was the basis for our information model for EoX information. So I drafted an FAQ to capture the agreement (presuming we'll agree).

    I, Duncan Sparrell, move that PR #53  (an FAQ where the EoX list comes from) be approved, and request that if seconded via this list, and no objections received via this list within one week (ie by 25-Oct-2024 7 PM Eastern) , that the motion automatically carry and the maintainers may merge the PRs at their convenience.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------


  • 2.  RE: EoX

    Posted 10-20-2024 13:31
    I'm completely in favor of standards and information models.

    However, I'd like to see End of Engineering Support added though (and I don't have time right now to figure out how EOX works - I did look it up once).

    EOES was used by Fortinet and another vendor.  I was surprised when we saw it with the other vendor and is it skirting our vulnerability policies. The non-Fortinet vendors states with Secure by Design they won't be doing it anymore – I had brought it up to them that it was not acceptable to us, perhaps others did as well.
     
    Asa result of this, we are re-writing our vulnerability policy to ensure that such situations can't happen.

    As of three years, Fortinet had this as well.   See the links before when I do a google search early in 2024.  Perhaps Fortinet doesn't do it anymore - I don't know.
     
    "End of Engineering Support for Software (EOES): The date beyond which Fortinet no longer commits to provide engineering support for software. After this date the software enters a must-fix support phase, during which, maintenance builds will only be produced for industry wide critical issues and PSIRT vulnerabilities. The EOES date is generally 36 months after the GA date."
     
    Might be in:
    If it still exists. I don't have access without creating an account.

    Kind regards,
      --Jade

    ---------------------

    Dr. Jade Stewart, CISSP, PMP

    National Information Assurance Partnership (NIAP)

    Standards and Certifications

    Cybersecurity Collaboration Center


     

     






  • 3.  RE: EoX

    Posted 11-04-2024 13:10

    I propose this be discussed at next meeting as there as disagreement as to whether to use OpenEoX or make our own set of  end-of terms.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------