When I’m looking for guidance on a
decision, I often turn to the great 19th century scholar Charles Dodgson, who wrote
on mathematical logic. His two greatest treatises on that subject were written
under the pen name Lewis Carroll: Alice in Wonderland and Through the
Looking Glass.
Near the beginning of the first treatise, after Alice has
fallen down the long rabbit hole and emerged in Wonderland, she has no idea
where she is and has the following exchange with the Cheshire Cat:
Alice: ‘Would you tell me, please,
which way I ought to go from here?’
The Cheshire Cat: ‘That depends a good deal on where you want to get to.’
Alice: ‘I don't much care where.’
The Cheshire Cat: ‘Then it doesn't much matter which way you go.’
Alice: ‘...So long as I get somewhere.’
The Cheshire Cat: ‘Oh, you're sure to do that, if only you walk long
enough.’
What has been known until now as
the Software
Component Transparency Initiative of the National Technology and
Information Administration (part of the US Department of Commerce) finds itself
currently in somewhat the same position as Alice. The leader of the Initiative,
Dr. Allan Friedman, moved a few months ago from the NTIA to CISA (which is of
course part of the Department of Homeland Security).
The Initiative is a “multistakeholder
process” – a special type of “organization” that the NTIA has deployed in many situations
(there is currently a large multistakeholder process going on for 5G – much larger
than the one for SBOMs). The idea is to have participants in an industry get
together to agree on rules that apply to a new technology, without even mentioning
the dreaded word “regulation”. However, CISA does things differently (although
they aren’t interested in becoming a regulator any more than NTIA is, as their
Director Jen Easterly made clear just last week), so this process can’t
continue. And one can argue that the multistakeholder process has now outlived
its usefulness, anyway.
There is agreement among the
people who have been participating in the Initiative, that we would like to
continue in some form. It is to discuss what that form will be, as well as to provide
general instruction on what SBOMs are and how they can be used, that Allan has
scheduled the first annual (hopefully) CISA “SBOM-a-rama” for December 15 and
16, at 12-3 PM ET on both days. This will be a two-day event:
1.
Allan describes the
first day thusly, “The first session will focus on education, bringing the
broader security and software community up to speed with the current
understanding of technology and practices, and offer the opportunity for some
questions and answers for those relatively new to the issue and technology.”
2.
Here’s his description
of the second day: “The second day will focus on identifying the needs of the
broader community around SBOM, and areas of further work deemed necessary for
progress. This could include specific technical issues and solutions,
operational considerations, or shared resources to support the easier and
cheaper generation and consumption of SBOM and related data.” This is where I
expect the two questions listed in the title of this blog to be asked. As long
as there is agreement on at least the first question, I’ll be happy with that. Discussion
beyond that will be exploratory, but will continue in future meetings, however
they’re structured.
Who’s eligible to attend this. The
requirements are quite rigorous, I’m afraid:
1.
You must have a
working command of the English language.
2.
You must have an interest
in SBOMs and how they can help you secure your organization, even if you know
very little about them.
3.
You don’t have
to have software development experience. If that’s a requirement, I can’t
attend either.
I’ll publish the meeting
information when it’s available.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by CISA’s Software Component Transparency Initiative, for which
I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment