Re: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
Steve Lasker <StevenLasker@hotmail.com> Fri, 05 April 2024 22:37 UTC
Return-Path: <StevenLasker@hotmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0865C169416 for <scitt@ietfa.amsl.com>; Fri, 5 Apr 2024 15:37:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.211
X-Spam-Level:
X-Spam-Status: No, score=-1.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3sGnY02z8N68 for <scitt@ietfa.amsl.com>; Fri, 5 Apr 2024 15:37:36 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11olkn2044.outbound.protection.outlook.com [40.92.20.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75C52C169432 for <scitt@ietf.org>; Fri, 5 Apr 2024 15:37:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nmxOK0PRRY9qNnxfMZJ0s7JHpoTdfbuMq1qknmOxSMsJW/mIUnaNeJNiccZyDRKrdCLjNQdWOVLxbhM3Hi+5OjQ2hCDhuV1yXoXJEYBNTNQQIO4sIInMaQ2wf2wZKDjaX7dKGXdfjVxgh0VD3jZZXr4BjYHn/4OIQNtHHKpjWp5/1JvaIRKB9OZagyir90y0zvPCqKNbgL0hnJWsa6TrWWXjrnD+wGz7MPaS/zHS1A8vFDo/XzTLDEzM1QD9DzCmQzHi7o57XYN936sX1m6/Wi52JXJ7/Qgp3qL13CfiSR6jts1VzX2NBnopT/sPn7qu+HLbThfLmy759B7O0noGmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HlzrKW/wMJ42jCBDIMyUE9ILtEx/TtfNxwP3/2QEVFU=; b=FanV/MCWOTIj++cQXbPGgsa6W7dv0kgFpadp/EyxwgTFGcpg9Fbxdi1dYOFbOjQPdtz3Djy5rhIKMD0rqPtxKZNyEN5/SNVQCm3mtu9jJStHkD4M3ND1ob/KrA1ZlVbYdK4mIw08dJWUmlDIW7salvs10kWnby3SblSUlJi/75Nd4c877kZMYj4DJp9Xhg4zy/YvXyJZI4cP+EK9V29+lOoGUPgTj5Z1vetKm6SEraRco3NklmvXd3Wgi3CASRhVxR6fyXdU3pd2MiDYka9dktBlFHLfoJ+M/jA6LkQzlHNltLM0FgHZeHxoYzQ5QHYBAiq3156Dh63dBOKPpnDoVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HlzrKW/wMJ42jCBDIMyUE9ILtEx/TtfNxwP3/2QEVFU=; b=vUEXPKFWcRqLNaYihKpl9PX9pfDtqM0tM9T1g9ROgxwIIDtKCp5E/NuAqpan5cT02j1kWoJh0iRrKnxewNSIaV8Ucu44NkoIru7ZcQvNRx0BRS8PBcIzVU+9c3RcGnntAprkyigFaDsXn1YxZQyow1SrFddMszM1uH6d/f2D9SIEkvVds+kEaSzl5D0QtuOAKoeS9hWt+WWZda4flRfcnnURUUM6MSUG9QyKLaOEBayPJWQj9oFgh2vpNdEDYAr/V8l0qLanoggCV/d0yORRkrJEdaKSA2ErvyWcmZ1QgIQC4zVK7pQGYNvyO4E5ptoMv5O8UngNpiukNL2WQ5HCfw==
Received: from SJ0PR17MB4334.namprd17.prod.outlook.com (2603:10b6:a03:293::13) by SA1PR17MB4771.namprd17.prod.outlook.com (2603:10b6:806:19e::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Fri, 5 Apr 2024 22:37:06 +0000
Received: from SJ0PR17MB4334.namprd17.prod.outlook.com ([fe80::b62b:b634:f329:2727]) by SJ0PR17MB4334.namprd17.prod.outlook.com ([fe80::b62b:b634:f329:2727%4]) with mapi id 15.20.7409.042; Fri, 5 Apr 2024 22:37:06 +0000
From: Steve Lasker <StevenLasker@hotmail.com>
To: Ray Lutz <raylutz@citizensoversight.org>, "scitt@ietf.org" <scitt@ietf.org>
Thread-Topic: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
Thread-Index: AQHah59JIPnuL1EBuEm8zVhTwlTrIrFaQX3w
Date: Fri, 05 Apr 2024 22:37:06 +0000
Message-ID: <SJ0PR17MB43344796C1D419E164972E04D2032@SJ0PR17MB4334.namprd17.prod.outlook.com>
References: <c6ac0e2a-947c-416d-b39c-7fce98a27832@citizensoversight.org>
In-Reply-To: <c6ac0e2a-947c-416d-b39c-7fce98a27832@citizensoversight.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-tmn: [evmYkC5WQbnZaLTkC/uds0D9t+z9OAxLv4jqBEiVeQeMZJ21XZCC8ftIUehJmfJXmMJD2W0de3k=]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR17MB4334:EE_|SA1PR17MB4771:EE_
x-ms-office365-filtering-correlation-id: ba66ff77-4a9d-4e26-51eb-08dc55c0ec0d
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0IUCJScSlFnJTEPLcE0+5lfI90JcZgZAGcPpVEkCMrwBil5SSTbadVgyWyQz/0NhXCszQzGvFxlZl7Rf8pgx9mUNnIsPtfCTYLeib0AZLmU5/HsbS9uC8clMh1zyLFoXtahHvAnUrNfQ/hDtrGB1FBJZFweNJkJdypA30qX54lgJxwPzBzWL5UPifXAhLWVrPTqUgFSJ0jZ0HKn6QYEJheJ1HxLcdZ0BS9UrkSt/yybZrsPe+Q5yJH0u0pZ6XkRBQdq/A8NvmGx85AmsapnbDrg0990E9BrZMR5UYQECsX8oCn/12w2Pdd94nj+8ThzIFTFpRq2Du7dWNy1VZuhY1i+r438W8BK8YqoFSSmsCk/aobPtmWcTF3DELFJ5vaLlL0A0J08vEWarU+HzrECVqD+1eKZOK8iVfvNpZjYIOPlckT0uHoZq4uaAbPKEJV8euODgEb0z07OHjUOkLu0dCzrABT1YHn5iYm32AUb0GOPWChHiHGWWHEeuEf7+HeFNkNd3zQGt6QI8/y+NR5dRXc8vjFsb3yKXVIAMzpWqEXAymEP/z7IpMFZxV/5k0bO9y4RzODNX5WCrgEPSbLSEcOLcDnlWLpyvxFs1ap3cvTnyuCptYcrzGEcsd47Li5x4YuOn5Kv7I/kzFJx62MlFZJCL+3IYHT0gq0qblDn0nZ3pqM80v/rTBRlxau0I0Pzf/FQpseD0n5K2QAK77Jc7nnWx41r8iKl0TL+8PVKsHEs=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7bM4EKZ+H1EGZIdCOgrPkX2QVoX/eaYuSYiCvMLsfAJvZrhi8u/RbNV7l2oC37rXi8hWB/y7sLUHONDEvNhW/x8U18+QeXQ3ZQNDe3S61iUvFvyjU+fHT78jCzwFPiKWRi3qU8nDAG/qwuG13VMMxCcQuCP/303uqKaORFV32VDqF1vXapnxb91zNxYUPe/4MhAnZShYBdz72KzTw3CVQ/AftOfj11MM7stQDtSAMzAixNxxecMxai9pl7Ni3UyF2uedDkfOXg5qv1nc78lwvYqRC/fKL68Ru2re2I2FZ3726BStLBKIzvo5C9VFRCxLL/kkRGlIhzschA+mYW/Zrgdi9UXR4Qo3sf5p4j78/JiJ670wISeCepe8Ol95LzMLvBPDeVoeMZ57LUMQY1qDpY5GBzwBj40N81u+7UdPEiIdcmoJ8br/deS3dWjDeFoAYD46Dxk0ISguf9Tjl2YuibEjNls84hYP1ac+kH8GCapRXwoIKnPegFaLEcGGvvlKILDUvxN1i8jj4WTHt1MkNuh4I3xXe6vvLjJxhSrcpK2cQyttprSBSkz+sAFLZEeQwMjYqnWzw/3axQwrakXs8q+3/P4nBUSKvO9xtCOt84GpUNDm/VpO6DlsuykzVxqMxJRW+OkCFsYAyPE4Z2ggHcoVXyLKlBg+tib+9AnCJgax2eikGURi77NXJuLCbye+eYXudXB7raKKfnMCH6DAD6PWk4cjFX35W9dJW2K2wbtm4QeFNOMvJotKPakfeQe0VujuGz8vj/PsHThKUlZ5+RXcOcYuIj7YWGzxXZ9ZIYPSNh+cF3gxKmf7n2xhR/1nzOX0I4k8iic6v+SvfyATqMWe9n4vjJoBy+QkLOS4rC3qcplLXydO/iN+VXLhSnm/ddfm8K2JkqbyvcQF0vWUwkQ7SLPeKmQ0evRFD7ktvq+GudN8sNpUqpaFTFAFdd6RfTjKOpeGiZavfpzYkgemSMkpn0JuWFONW7WOMWtDKwYxQgdkKs6HwKQKxq53qYabmHkBG8e52gtLfP0hghy0h9ACbpZOM3PS6cX6sD0y2JIQCsyIxmTt+rzejsJtjbkNathQGjihZK1/+y4r1fxJioEl2u+lZQ/XepjB6ixuhqVrl6pJW0INHdDJIQOpeVgt21MkqYc30CpbKMS4yafhcRt5cD0rr20+rp/w5hW9Ebwk6uwmLJOgwicthSMqJxNT/keEnKVmXkWdCqLV5Hl5ihksP0+5WrRTX5Vl2/vvuaub6lm5jZzZNv1Aj9VF/kcoJgTDnL4j04BhrW0aYIAL1/jyEa367hg340d2f4rq7vw=
Content-Type: multipart/related; boundary="_004_SJ0PR17MB43344796C1D419E164972E04D2032SJ0PR17MB4334namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-cc4c0.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR17MB4334.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: ba66ff77-4a9d-4e26-51eb-08dc55c0ec0d
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Apr 2024 22:37:06.1933 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR17MB4771
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/IjoR0XjOa0jd8RzLxvKzXW5RmxI>
Subject: Re: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 22:37:41 -0000
Good timing, Ray, A.J. was going to facilitate the SCITT Community Meeting next week, and the Software Attestations was his first topic. Reminder: Community meetings restart on April 8th 4 PM UTC (groups.io)<https://groups.io/g/scitt-community/message/73> --> Does this actually do anything to improve software by having producers say they do everything right? This is the interesting part, and why enabling others to comment on the same artifact is so important. There are two major categories of vulnerabilities: 1. A software vendor/project inadvertently published a vulnerability. It may not have been known at the time, or it was a bug. In this case, the vendor/project is motivated to fix it. They're motivated to put testing in, to catch their mistakes. They're motivated to publish new information about their artifacts, indicating they found an issue and the steps they're taking to resolve it. 2. A group is maliciously working to circumvent the security gates. They study all known checks, and intentionally design a vulnerability to get through them undetected. The better funded, the more they can invest. In this case, they're not motivated to communicate problems. In both cases, it's important for others to make statements about other publishers artifacts. Verifiers can choose which additional publishers they wish to trust. Otherwise, a malicious company can pretend to be a good security company and say good, or bad things about software. This was captured here, on scitt.io: Extending Services - SCITT - Supply Chain Integrity and Trust<https://scitt.io/scenarios/extending-existing-services.html> This brings up the value of the subject field, where multiple issuers can make additional statements about the same artifact. At IETF 119, it was discussed the challenges with combining issuers and unique subjects, and I'd like to carve that problem out as a focus. So, that we can assure we can support the above scenarios. From: SCITT <scitt-bounces@ietf.org> On Behalf Of Ray Lutz Sent: Friday, April 5, 2024 2:22 PM To: scitt@ietf.org Subject: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA) This seems to implement a service similar to the vision of SCITT, but with the user account, and submission front end that is otherwise missing from SCITT, and it appears to be already endorsed by CISA. They use "self attestations" which are comparable to SCITT claims. It seems it is limited to federal users and sw vendors. https://www.cisa.gov/resources-tools/resources/repository-software-attestations-and-artifacts-rsaa-user-guide https://www.cisa.gov/sites/default/files/2024-03/CISA_RSAA_User_Guide_18_March_2024.pdf and they use this self-attestation form: https://www.cisa.gov/sites/default/files/2024-03/Self-Attestation-Common-Form-03082024-FINAL.pdf --> Does this actually do anything to improve software by having producers say they do everything right? Intro text: ============== PURPOSE OMB issued memorandum M-22-18 on 14 September 2022. Due to the importance and scope of the Federal Government's information and communications technology (ICT) products and services, Memorandum 22-18 was drafted to ensure software integrity. Software integrity is key to protecting Federal systems from nation state and criminal actors seeking to disrupt our nation's critical functions. The goal is to reduce overall risk from cyber-attacks. One way to achieve this is by Federal agencies only using software from software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance. Following the issuance of M-22-18, on 09 June 2023, OMB issued memorandum M-23-16. OMB Memorandum M-23- 16 reinforces the requirements established in M-22-18, reaffirms the importance of secure software development practices, and extends the timelines for agencies to collect attestations from software producers. Additionally, this memorandum provides supplemental guidance on the scope of M-22-18's requirements and on agencies' use of Plan of Actions and Milestones (POA&Ms) when a software producer cannot provide the required attestation but plans to do so. To the extent any provision of this memorandum may be read to conflict with any provision of M-22-18, this memorandum is controlling. The Repository for Software Attestation and Artifacts (RSAA) serves to satisfy the requirements set forth in M-22-18 and M-23-16. INTRODUCTION The RSAA User Guide provides users with instructions to create an RSAA account, the required CISA Okta Partner Platform account with multifactor authentication (MFA) and use the RSAA application effectively. The RSAA application serves as a repository for all software producers' Attestations. ============== Steps are: 1. Create a user account. It lists some but also has a way to request additional categories. "If the organization or agency being represented does not appear in the drop-down lists or options presented, please contact the CISA Technology Operations Center (TOC) to request the missing organization or agency be added to the CISA RSAA system" [cid:image001.png@01DA876E.64EC48D0] Click "Submit for Review." A notification will appear confirming the account creation request has been successfully submitted. Click "OK" to complete the process. Account requests are reviewed and processed within approximately 2 business days. Upon processing, an email is sent to the requestor to notify that the account has been created. 2. Create a software record. With an RSAA account created AND activation of the CISA Okta Partner Portal account with MFA, registered users may create software record(s) for the agency or organization. Each record is specific to the software product and version(s). Registered users may also search existing software records, subject to the user privileges. Step 6. If creating a new software record, complete the required fields in the Create Software Record form which displays and identifies required data for the submission: a. Populate the Name of Product or Product Line field. b. Enter the Version Number Range (if applicable). c. Enter the software producer entity. If the software producer is not registered in the system, Click the "Add New" option, and when prompted, enter the software producer entity, and click "OK." The entity will now be available to enter in the software producer field of the Create Software Record form. d. Enter the Release/Publish Date. e. Click "Save Record." artifacts may be uploaded using the "Upload Artifact" feature. -- ------- Ray Lutz Citizens' Oversight Projects (COPs) http://www.citizensoversight.org<http://www.citizensoversight.org/> 619-820-5321
- [SCITT] CISA: Repository for Software Attestation… Ray Lutz
- Re: [SCITT] CISA: Repository for Software Attesta… Steve Lasker
- Re: [SCITT] CISA: Repository for Software Attesta… Dick Brooks
- Re: [SCITT] CISA: Repository for Software Attesta… Alexander Stein