Hi and Good Morning,
CISA offers a framework for Supply Chain Risk Management which can be considered to be a baseline for some interesting regulatory use cases.
For the NTIA SBOM minimum requirements there is a conformance checker and as baseline a mapping between the NTIA requirements and SPDX 2.3/3.0, see: https://github.com/spdx/ntia-conformance-checker and SPDX Mappings
The guide A Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management offers similar approach for HBOMs.
However, while we have a pretty explicit mapping for the NTIA SBOM requirements, there is only a raw mapping for the HBOMs and this mapping is also not tailored to SPDX 3.0.
Additionally I found it hard to map some of the requirements at all.
This leads to two main questions on my end:
- Does it make sense to provide such a mapping from the SPDX side?
- Was the document considered as potential requirement document when the Hardware and Supply-Chain profiles have been designed?
I'd be thankful for some feedback.
Hi and Good Morning,
CISA offers a framework for Supply Chain Risk Management which can be considered to be a baseline for some interesting regulatory use cases.
For the NTIA SBOM minimum requirements there is a conformance checker and as baseline a mapping between the NTIA requirements and SPDX 2.3/3.0, see: https://github.com/spdx/ntia-conformance-checker and SPDX Mappings
The guide A Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management offers similar approach for HBOMs.
However, while we have a pretty explicit mapping for the NTIA SBOM requirements, there is only a raw mapping for the HBOMs and this mapping is also not tailored to SPDX 3.0.
Additionally I found it hard to map some of the requirements at all.
This leads to two main questions on my end:
I'd be thankful for some feedback.