Re: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
Dick Brooks <dick@reliableenergyanalytics.com> Fri, 05 April 2024 23:00 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5784C16A126 for <scitt@ietfa.amsl.com>; Fri, 5 Apr 2024 16:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.085
X-Spam-Level:
X-Spam-Status: No, score=-7.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="MzOSqK0E"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="acuoh0Mw"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NcoOhp7YuyA0 for <scitt@ietfa.amsl.com>; Fri, 5 Apr 2024 16:00:02 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99511C169432 for <scitt@ietf.org>; Fri, 5 Apr 2024 16:00:02 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.west.internal (Postfix) with ESMTP id 2F5843200A02; Fri, 5 Apr 2024 19:00:01 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Fri, 05 Apr 2024 19:00:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:reply-to:subject:subject:to:to; s=fm3; t= 1712358000; x=1712444400; bh=r4CzpDSlDayr1f3/0C+0TfnGb6ANAf0nWjt DCFJw2Eg=; b=MzOSqK0EaOHn5e/uba9WVDIL9vNlPpuZDf9Y1hBQKOFrlDuI1Bx MVs1LF9hilGQMEvdM0I4C7xyUoEY4x7ZaMoRrxzAOcZIDqKUuZ5BekPedo/W8GW8 A3r3XEfQuoeFxN1cdwhiNAbQh6cAOMywWc4Uq1EbvVsZij30zy62J2JAV5rGI9Ng YJaSGhLLre8CmlGOguZwp55HFVqW+WbFrzkknk0FOXkwARslcCZyecwPZkwmBhDe lYZlVbaGv6uR4De+R6NSFjsJ9afjcb/CmhQVQNcwRtsTjC2EwzQz0nh1WNAmje3x SJaMooccohr+znWNyoLOCMr5kD3LIlRzvKg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1712358000; x=1712444400; bh=r4CzpDSlDayr1 f3/0C+0TfnGb6ANAf0nWjtDCFJw2Eg=; b=acuoh0MwQ5t8+cGdW3IoIq6q0baJI uzIsi9f5Xq7HfJtcfbhO/y4YMgsE6gxgk7pWYpUy/9B+Y/eN/utTkwio9ruP5X2s tOpU1FnbxnJE+XU2ZWl7slsPDfbf2obMZdQFbOB+yBRSUXsEbwNcTGQE6pn8FL6T +lruN4/2i+YqVYY3oQuJgvi/TXV8MKDIBkAn/4Udd6denjf48K/bJMHjvXg5IWr5 HZf7uGwK1JK1jAk6nQEBtcD6XNDe/xP24U9Yd0fNpUy43fg0OO7RlSIdwsbPLboS L5RgDMFaEkL/Lg7UM9pnYqrxSJ6XnIl4LA0b6dMNshdTArhLZlKwWyDUg==
X-ME-Sender: <xms:cIIQZqRtzM219GKEnoKKsU1w7vFHGbbS70kqYqZoS12BWmbTzJ7ZXQ> <xme:cIIQZvwist1ftHsjHrgDymP7fPPh3XcYhcbxTc8RtbCBQdMo5M94omhH2_qfV4a8y e6vil1EJ0pxySONRg>
X-ME-Received: <xmr:cIIQZn2l9y99Eqv7R566mGGqtXUQ2meEVv065p2TRHaFJbKxenYpxeI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudeguddgudejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlqdehmdenucfjughrpehrhffvfhgjufffohfkgggtofhtsehrtder pedvtddvnecuhfhrohhmpedfffhitghkuceurhhoohhkshdfuceoughitghksehrvghlih grsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhn peduiedvjefgleevgfeugefgudekgfelgfdvteefteetudelleduvdekleefffdutdenuc ffohhmrghinheprhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomhdp ghhrohhuphhsrdhiohdpshgtihhtthdrihhopdgtihhsrgdrghhovhdptghithhiiigvnh hsohhvvghrshhighhhthdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghlhi htihgtshdrtghomh
X-ME-Proxy: <xmx:cIIQZmAwPyVZ0sc0FfWTossa5mgpHzrJIE0yh_UqZ9n9g_e_OeznuA> <xmx:cIIQZjidIbZ8YqyO3F0idXCCr3W1ZwToKC997aRYUTC7E6FffJKs4g> <xmx:cIIQZirdFsCbreVt5HRNyiovXlroGYtkS_4q04SJNhIT4-4K97dWXw> <xmx:cIIQZmh4xRXL_6rBpvraqXuZiPNmLtVbFAnQV9JH8xAWlrsQipq41w> <xmx:cIIQZjesNsjU-68yVhs8OQDfX8vg17aIE3LziNmoUYao-E00acQNvY5d8q5c>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 5 Apr 2024 19:00:00 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Steve Lasker' <StevenLasker@hotmail.com>, 'Ray Lutz' <raylutz@citizensoversight.org>, scitt@ietf.org
References: <c6ac0e2a-947c-416d-b39c-7fce98a27832@citizensoversight.org> <SJ0PR17MB43344796C1D419E164972E04D2032@SJ0PR17MB4334.namprd17.prod.outlook.com>
In-Reply-To: <SJ0PR17MB43344796C1D419E164972E04D2032@SJ0PR17MB4334.namprd17.prod.outlook.com>
Date: Fri, 05 Apr 2024 18:59:57 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <42d7001da87ac$fc8266a0$f58733e0$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_42D71_01DA878B.7570C6A0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFsURlpK1dh4aSveUHRfs+5CJToDQJSfCohsiQjYaA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/C-c7VxeiyWHt0jmZeDev-ptQi5k>
Subject: Re: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 23:00:07 -0000
Ray, Steve, et al, I'm presenting to a US Government agency on 4/15 describing how the CISA attestation process can benefit from a SCITT Trust Registry. This concept was demonstrated at IETF 117. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: SCITT <scitt-bounces@ietf.org> On Behalf Of Steve Lasker Sent: Friday, April 5, 2024 6:37 PM To: Ray Lutz <raylutz@citizensoversight.org>; scitt@ietf.org Subject: Re: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA) Good timing, Ray, A.J. was going to facilitate the SCITT Community Meeting next week, and the Software Attestations was his first topic. Reminder: Community meetings restart on April 8th 4 PM UTC (groups.io) <https://groups.io/g/scitt-community/message/73> --> Does this actually do anything to improve software by having producers say they do everything right? This is the interesting part, and why enabling others to comment on the same artifact is so important. There are two major categories of vulnerabilities: 1. A software vendor/project inadvertently published a vulnerability. It may not have been known at the time, or it was a bug. In this case, the vendor/project is motivated to fix it. They're motivated to put testing in, to catch their mistakes. They're motivated to publish new information about their artifacts, indicating they found an issue and the steps they're taking to resolve it. 2. A group is maliciously working to circumvent the security gates. They study all known checks, and intentionally design a vulnerability to get through them undetected. The better funded, the more they can invest. In this case, they're not motivated to communicate problems. In both cases, it's important for others to make statements about other publishers artifacts. Verifiers can choose which additional publishers they wish to trust. Otherwise, a malicious company can pretend to be a good security company and say good, or bad things about software. This was captured here, on scitt.io: Extending Services - SCITT - Supply Chain Integrity and Trust <https://scitt.io/scenarios/extending-existing-services.html> This brings up the value of the subject field, where multiple issuers can make additional statements about the same artifact. At IETF 119, it was discussed the challenges with combining issuers and unique subjects, and I'd like to carve that problem out as a focus. So, that we can assure we can support the above scenarios. From: SCITT <scitt-bounces@ietf.org <mailto:scitt-bounces@ietf.org> > On Behalf Of Ray Lutz Sent: Friday, April 5, 2024 2:22 PM To: scitt@ietf.org <mailto:scitt@ietf.org> Subject: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA) This seems to implement a service similar to the vision of SCITT, but with the user account, and submission front end that is otherwise missing from SCITT, and it appears to be already endorsed by CISA. They use "self attestations" which are comparable to SCITT claims. It seems it is limited to federal users and sw vendors. https://www.cisa.gov/resources-tools/resources/repository-software-attestati ons-and-artifacts-rsaa-user-guide https://www.cisa.gov/sites/default/files/2024-03/CISA_RSAA_User_Guide_18_Mar ch_2024.pdf and they use this self-attestation form: https://www.cisa.gov/sites/default/files/2024-03/Self-Attestation-Common-For m-03082024-FINAL.pdf --> Does this actually do anything to improve software by having producers say they do everything right? Intro text: ============== PURPOSE OMB issued memorandum M-22-18 on 14 September 2022. Due to the importance and scope of the Federal Government's information and communications technology (ICT) products and services, Memorandum 22-18 was drafted to ensure software integrity. Software integrity is key to protecting Federal systems from nation state and criminal actors seeking to disrupt our nation's critical functions. The goal is to reduce overall risk from cyber-attacks. One way to achieve this is by Federal agencies only using software from software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance. Following the issuance of M-22-18, on 09 June 2023, OMB issued memorandum M-23-16. OMB Memorandum M-23- 16 reinforces the requirements established in M-22-18, reaffirms the importance of secure software development practices, and extends the timelines for agencies to collect attestations from software producers. Additionally, this memorandum provides supplemental guidance on the scope of M-22-18's requirements and on agencies' use of Plan of Actions and Milestones (POA&Ms) when a software producer cannot provide the required attestation but plans to do so. To the extent any provision of this memorandum may be read to conflict with any provision of M-22-18, this memorandum is controlling. The Repository for Software Attestation and Artifacts (RSAA) serves to satisfy the requirements set forth in M-22-18 and M-23-16. INTRODUCTION The RSAA User Guide provides users with instructions to create an RSAA account, the required CISA Okta Partner Platform account with multifactor authentication (MFA) and use the RSAA application effectively. The RSAA application serves as a repository for all software producers' Attestations. ============== Steps are: 1. Create a user account. It lists some but also has a way to request additional categories. "If the organization or agency being represented does not appear in the drop-down lists or options presented, please contact the CISA Technology Operations Center (TOC) to request the missing organization or agency be added to the CISA RSAA system" Click "Submit for Review." A notification will appear confirming the account creation request has been successfully submitted. Click "OK" to complete the process. Account requests are reviewed and processed within approximately 2 business days. Upon processing, an email is sent to the requestor to notify that the account has been created. 2. Create a software record. With an RSAA account created AND activation of the CISA Okta Partner Portal account with MFA, registered users may create software record(s) for the agency or organization. Each record is specific to the software product and version(s). Registered users may also search existing software records, subject to the user privileges. Step 6. If creating a new software record, complete the required fields in the Create Software Record form which displays and identifies required data for the submission: a. Populate the Name of Product or Product Line field. b. Enter the Version Number Range (if applicable). c. Enter the software producer entity. If the software producer is not registered in the system, Click the "Add New" option, and when prompted, enter the software producer entity, and click "OK." The entity will now be available to enter in the software producer field of the Create Software Record form. d. Enter the Release/Publish Date. e. Click "Save Record." artifacts may be uploaded using the "Upload Artifact" feature. -- ------- Ray Lutz Citizens' Oversight Projects (COPs) http://www.citizensoversight.org <http://www.citizensoversight.org/> 619-820-5321
- [SCITT] CISA: Repository for Software Attestation… Ray Lutz
- Re: [SCITT] CISA: Repository for Software Attesta… Steve Lasker
- Re: [SCITT] CISA: Repository for Software Attesta… Dick Brooks
- Re: [SCITT] CISA: Repository for Software Attesta… Alexander Stein