Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CISA proposed definition for "security support" as part of NCSIP Initiative 3.3.2 #51

Open
justmurphy opened this issue Oct 17, 2024 · 2 comments
Labels
tc-discussion Further TC discussion is needed

Comments

@justmurphy
Copy link
Contributor

justmurphy commented Oct 17, 2024

As part of the National Cybersecurity Strategy Implementation Plan, Initiative Number 3.3.2 "Advance software bill of materials (SBOM) and mitigate risk of unsupported software", the US Cybersecurity & Infrastructure Security Agency (CISA) is tasked to "...explore requirements for a globally-accessible database for end-of-life/end-of-support software...", including the value it could provide (or not provide), use cases, requirements, and feasibility.

CISA is proposing the following definition for the term "security support":

"A reasonable expectation of a predictable, effective response to a new security risk."

Alignment with the efforts of the OpenEoX TC is a priority, and CISA welcomes any feedback re: the proposed definition from the TC.

@justmurphy justmurphy added the tc-discussion Further TC discussion is needed label Oct 17, 2024
@tschmidtb51
Copy link
Contributor

tschmidtb51 commented Oct 28, 2024

I looked at the definition and it feels like there is a viewpoint issue (but that might be because I'm not a native speaker):

IMHO, "support" is not an "expectation". That something is supported could fuel the a reasonable expectation that their will be a predictable, effective response to a new security risk. But the support itself isn't the expectation. The announcement of security support provides the expectation. The expectation is more on the customer side, the support (promise) on the vendor side.

So maybe a better definition would be:

"Security support": Promise that a user can reasonably expect a predictable, effective response to a new security event.

Edited to take comment from TC into account (changed risk to event)

@justmurphy
Copy link
Contributor Author

From langley during TC: Not responding to security risk, but to security events/incidents.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tc-discussion Further TC discussion is needed
Projects
None yet
Development

No branches or pull requests

2 participants