OASIS OpenEoX TC

 View Only

Proposed definition by CISA for "security support" as part of NCSIP Initiative 3.3.2 (Issue #51)

  • 1.  Proposed definition by CISA for "security support" as part of NCSIP Initiative 3.3.2 (Issue #51)

    Posted 10-17-2024 19:18

    Hello TC Members,

    I have submitted the following for discussion: https://github.com/oasis-tcs/openeox/issues/51

    As part of the National Cybersecurity Strategy Implementation Plan (https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/13/fact-sheet-biden-harrisadministration-publishes-thenational-cybersecurity-strategyimplementation-plan/), Initiative Number 3.3.2 "Advance software bill of materials (SBOM) and mitigate risk of unsupported software", the US Cybersecurity & Infrastructure Security Agency (CISA) is tasked to "...explore requirements for a globally-accessible database for end-of-life/end-of-support software...", including the value it could provide (or not provide), including use cases, requirements, and feasibility.
     
    CISA is proposing the following definition for the term "security support":
     
    "A reasonable expectation of a predictable, effective response to a new security risk."
     
    Alignment with the efforts of the OpenEoX TC is a priority, and CISA welcomes any feedback re: the proposed definition from the TC.

    Note: Full disclosure that this work is being done by a separate part of CISA, although I will be tracking and offering support as a co-chair of the OpenEoX TC. The work of the TC will be highlighted in the deliverable(s) for this initiative. I can promise that the feedback will be viewed and considered, but I cannot promise that it will be applied in the final draft for the proposed definition.

    Happy to discuss further here or at the next TC meeting.

    Thanks,
    Justin


    ------------------------------
    Justin Murphy
    US DHS Cybersecurity and Infrastructure Security Agency (CISA)
    Williston VT
    ------------------------------