Besides the topics for discussion proposed in last meeting notes, I would like to make members aware of some work that we should consider incorporating in our work.
The CISA SBOM working groups have "Enhancing SBOM Generation" out for review. You are welcome to to comment on it at SBOM Generation White Paper
| Google Docs |
remove preview |
|
| SBOM Generation White Paper |
| White Paper: Enhancing Software Bill of Materials (SBOM) Generation Abstract This white paper examines the practical challenges of producing robust, NTIA Minimum Elements-compliant, Software Bills of Materials (SBOMs) that not only meet the NTIA Minimum Elements, but can go beyond this to meet fu... |
| View this on Google Docs > |
|
|
The working groups also have "Improving Risk Management Decisions with SBOM data" out for review. You are welcome to comment on it at
BOMOps Whitepaper (Draft): Improving Risk Management Decisions with SBOM Data
| Google Docs |
remove preview |
|
| BOMOps Whitepaper (Draft): Improving Risk Management Decisions with SBOM Data |
| Improving Risk Management Decisions with SBOM Data (Draft Feb 3, 2025) Notes to CISA Editors: The Producer, Distributor, and Consumer roles are important to this paper and appear throughout as capitalized. This is by choice Stakeholder roles such as Legal, or Security Team, or Risk/Compliance ar... |
| View this on Google Docs > |
|
|
I am particularly interested in the terminology in both documents (we may want to standardize on their definitions/words, or we may want to make our own) and the use cases in the second doc.
Note the documents are public domain so fair game for us to use/copy/modify as we see fit.
.
------------------------------
Duncan Sparrell
Chief Cyber Curmudgeion
sFractal Consulting LLC
Oakton VA
703-828-8646
------------------------------