OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: OpenC2 in USG RFC responses - 3 days left to provide comments


TL;DR: This is a request that you consider submitting comments to NTIA in favor of using OpenC2. Comments are due by Friday.

 

Background:

Many of you are probably aware that President Biden issued an Executive Order on Improving US Cybersecurity (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/) that tasked certain US Agencies with specific tasks. One set of tasks was for NIST and they put out a call for comments (https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/workshop-and-call-position-papers ) to which there were 97 companies or individuals who responded. The comments can be read at https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/enhancing-software-supply-chain-security and I believe there were just 2 (Copado and sFractal) that included recommendations for OpenC2 in their comments. You can read the entire comments at the link (and then click on company name) but the following extracted portions are both in reply to the questions on automation best practices:

Copado:

“Copado has worked with the Department of Energy and the California Public Utilities Commission to bolster national cybersecurity standards Structured Threat Intelligence _expression_ (STIX) , OpenC2 and CACAO to secure the United States”

sFractal:

“I recommend NIST develop best practices for making use of:

      • …. 4. OASIS Open Command and Control (OpenC2) …

Best practices around STIX, CACAO, and OpenC2 may appear at first glance to not be within the scope of the assignments specified by the EO. However, to meet the EO objectives will require vendor-agnostic, machine-speed cyber-defense automation as proposed by IACD, and it will require that automation through the entire supply chain. I.e. the best practices for SDLC will need to extend beyond what is typically considered SDLC to include the cybersecurity controls of the supplier.”

 

The NIST comment period has closed but a similar comment period is open for NTIA.

 

NTIA:

The NTIA request for comments can be found at https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations and commenting is as simple as sending an email to SBOM_RFC@ntia.gov . One area that OpenC2 directly addresses is to RFC question 3g Delivery (ie respond with something along the lines of “WRT question 3g on Delivery, I recommend OpenC2 be considered as the SBOM delivery mechanism as part of an integrated cybersecurity ecosystem”. Another, albeit less direct, application of OpenC2 is in response to question 2 on use cases combined with their background text on operational considerations where there is almost an entire page on automation support referencing the EO calling for “greater benefits though automation and tool integration”. Answers similar to the Copado and sFractal NIST comments would apply.

 

Please at least consider responding  to the NTIA request for comments with mention of OpenC2 (or add OpenC2 to your companies reply if your company or agency already has a reply in preparation).

 

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]