You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of the National Cybersecurity Strategy Implementation Plan, Initiative Number 3.3.2 "Advance software bill of materials (SBOM) and mitigate risk of unsupported software", the US Cybersecurity & Infrastructure Security Agency (CISA) is tasked to "...explore requirements for a globally-accessible database for end-of-life/end-of-support software...", including the value it could provide (or not provide), use cases, requirements, and feasibility.
CISA is proposing the following definition for the term "security support":
"A reasonable expectation of a predictable, effective response to a new security risk."
Alignment with the efforts of the OpenEoX TC is a priority, and CISA welcomes any feedback re: the proposed definition from the TC.
The text was updated successfully, but these errors were encountered:
I looked at the definition and it feels like there is a viewpoint issue (but that might be because I'm not a native speaker):
IMHO, "support" is not an "expectation". That something is supported could fuel the a reasonable expectation that their will be a predictable, effective response to a new security risk. But the support itself isn't the expectation. The announcement of security support provides the expectation. The expectation is more on the customer side, the support (promise) on the vendor side.
So maybe a better definition would be:
"Security support": Promise that a user can reasonably expect a predictable, effective response to a new security event.
Edited to take comment from TC into account (changed risk to event)
As part of the National Cybersecurity Strategy Implementation Plan, Initiative Number 3.3.2 "Advance software bill of materials (SBOM) and mitigate risk of unsupported software", the US Cybersecurity & Infrastructure Security Agency (CISA) is tasked to "...explore requirements for a globally-accessible database for end-of-life/end-of-support software...", including the value it could provide (or not provide), use cases, requirements, and feasibility.
CISA is proposing the following definition for the term "security support":
"A reasonable expectation of a predictable, effective response to a new security risk."
Alignment with the efforts of the OpenEoX TC is a priority, and CISA welcomes any feedback re: the proposed definition from the TC.
The text was updated successfully, but these errors were encountered: