[SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
Ray Lutz <raylutz@citizensoversight.org> Fri, 05 April 2024 21:21 UTC
Return-Path: <raylutz@citizensoversight.org>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09EA9C151082 for <scitt@ietfa.amsl.com>; Fri, 5 Apr 2024 14:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=citizensoversight.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2upJ4KyJG-M for <scitt@ietfa.amsl.com>; Fri, 5 Apr 2024 14:21:44 -0700 (PDT)
Received: from vps5.cognisys.com (vps5.cognisys.com [69.73.173.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 519B3C14F721 for <scitt@ietf.org>; Fri, 5 Apr 2024 14:21:43 -0700 (PDT)
Received: from [192.168.123.225] (ip174-65-13-111.sd.sd.cox.net [174.65.13.111]) by vps5.cognisys.com (Postfix) with ESMTPSA id 04C6E26DEF for <scitt@ietf.org>; Fri, 5 Apr 2024 17:21:41 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citizensoversight.org; s=default; t=1712352102; bh=O6UacIcf9PGzuRyKboXTAd2EqYVv+8fGm5pr2I1PaSs=; l=136125; h=To:From:Subject; b=MbtFZcdwa5FwqnWH8MKCg2+SdpWqpR7P++VMf9V3k4X0BB1Hi9QHqinzvQa3XVSwL rgEmjJ+Xb4mO3/IIeFE9oOFETltoNPUNntQSSV9oywF8FJFWRZD3WbCdkrqEc72/Bx dDc4+PJfiY/yzzhOMt7enmwyUDM5VX2dUxyxbjHA=
Content-Type: multipart/alternative; boundary="------------B9vcUNBGsw63kG4HrJOwxsyN"
Message-ID: <c6ac0e2a-947c-416d-b39c-7fce98a27832@citizensoversight.org>
Date: Fri, 05 Apr 2024 14:21:40 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: "scitt@ietf.org" <scitt@ietf.org>
From: Ray Lutz <raylutz@citizensoversight.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/fD5PT0ADuQcY0TZpmj6dzmJHzpY>
Subject: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 21:21:49 -0000
This seems to implement a service similar to the vision of SCITT, but with the user account, and submission front end that is otherwise missing from SCITT, and it appears to be already endorsed by CISA. They use "self attestations" which are comparable to SCITT claims. It seems it is limited to federal users and sw vendors. https://www.cisa.gov/resources-tools/resources/repository-software-attestations-and-artifacts-rsaa-user-guide https://www.cisa.gov/sites/default/files/2024-03/CISA_RSAA_User_Guide_18_March_2024.pdf and they use this self-attestation form: https://www.cisa.gov/sites/default/files/2024-03/Self-Attestation-Common-Form-03082024-FINAL.pdf --> Does this actually do anything to improve software by having producers say they do everything right? Intro text: ============== PURPOSE OMB issued memorandum M-22-18 on 14 September 2022. Due to the importance and scope of the Federal Government’s information and communications technology (ICT) products and services, Memorandum 22-18 was drafted to ensure software integrity. Software integrity is key to protecting Federal systems from nation state and criminal actors seeking to disrupt our nation’s critical functions. The goal is to reduce overall risk from cyber-attacks. One way to achieve this is by Federal agencies only using software from software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance. Following the issuance of M-22-18, on 09 June 2023, OMB issued memorandum M-23-16. OMB Memorandum M-23- 16 reinforces the requirements established in M-22-18, reaffirms the importance of secure software development practices, and extends the timelines for agencies to collect attestations from software producers. Additionally, this memorandum provides supplemental guidance on the scope of M-22-18’s requirements and on agencies’ use of Plan of Actions and Milestones (POA&Ms) when a software producer cannot provide the required attestation but plans to do so. To the extent any provision of this memorandum may be read to conflict with any provision of M-22-18, this memorandum is controlling. The Repository for Software Attestation and Artifacts (RSAA) serves to satisfy the requirements set forth in M-22-18 and M-23-16. INTRODUCTION The RSAA User Guide provides users with instructions to create an RSAA account, the required CISA Okta Partner Platform account with multifactor authentication (MFA) and use the RSAA application effectively. The RSAA application serves as a repository for all software producers’ Attestations. ============== Steps are: 1. Create a user account. It lists some but also has a way to request additional categories. "If the organization or agency being represented does not appear in the drop-down lists or options presented, please contact the CISA Technology Operations Center (TOC) to request the missing organization or agency be added to the CISA RSAA system" Click “Submit for Review.” A notification will appear confirming the account creation request has been successfully submitted. Click “OK” to complete the process. Account requests are reviewed and processed within approximately 2 business days. Upon processing, an email is sent to the requestor to notify that the account has been created. 2. Create a software record. With an RSAA account created AND activation of the CISA Okta Partner Portal account with MFA, registered users may create software record(s) for the agency or organization. Each record is specific to the software product and version(s). Registered users may also search existing software records, subject to the user privileges. Step 6. If creating a new software record, complete the required fields in the Create Software Record form which displays and identifies required data for the submission: a. Populate the Name of Product or Product Line field. b. Enter the Version Number Range (if applicable). c. Enter the software producer entity. If the software producer is not registered in the system, Click the “Add New” option, and when prompted, enter the software producer entity, and click “OK.” The entity will now be available to enter in the software producer field of the Create Software Record form. d. Enter the Release/Publish Date. e. Click “Save Record.” artifacts may be uploaded using the “Upload Artifact” feature. -- ------- Ray Lutz Citizens' Oversight Projects (COPs) http://www.citizensoversight.org 619-820-5321
- [SCITT] CISA: Repository for Software Attestation… Ray Lutz
- Re: [SCITT] CISA: Repository for Software Attesta… Steve Lasker
- Re: [SCITT] CISA: Repository for Software Attesta… Dick Brooks
- Re: [SCITT] CISA: Repository for Software Attesta… Alexander Stein