Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] FYI UK Government report on OSS trust - gaps

That’s all fine, but then I still don’t get your reply to my message. I was writing about a project for a separate architecture, that specifically targets EU and German public procurement (among other things). So documents for US agencies etc don’t really matter in that case. And it’s fine that the draft is publicly available, but I was referring to the implementation of that. Like whether others could use that.

-- 
Dr. Florian Idelberger


Karlsruher Institut für Technologie (KIT)
Zentrum für Angewandte Rechtswissenschaft (ZAR)
Institut für Informations- und Wirtschaftsrecht
Vincenz-Prießnitz-Str. 3, D-76131 Karlsruhe

E-Mail: florian.idelberger@xxxxxxx

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft

Am 12.03.2025 um 18:37 schrieb Dick Brooks <dick@xxxxxxxxxxxxxxxxxxxxxxxxx>:

Florian,
 
All of the US Government materials I refer to are available openly to the public:
 
I’ve also posted my March 21, 2025 presentation to NASA/DOE online, which covers the government materials I refer to above:
 
Information regarding the IETF SCITT trust registry concept is also available to the public:
 
 
Thanks,
 
Dick Brooks
<image002.png>  <image004.png> <image006.png>
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership
 
Risk always exists, but trust must be earned and awarded.
Tel: +1 978-696-1788
 
 
From: Idelberger, Florian (IIWR) <florian.idelberger@xxxxxxx> 
Sent: Wednesday, March 12, 2025 1:31 PM
To: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] FYI UK Government report on OSS trust - gaps
 
Well you wrote of certain US gov’t initiatives for their own usage. I assume none of that is open or accessible based on what you wrote, whether for reading or writing.
 
-- 
Dr. Florian Idelberger


Karlsruher Institut für Technologie (KIT)
Zentrum für Angewandte Rechtswissenschaft (ZAR)
Institut für Informations- und Wirtschaftsrecht
Vincenz-Prießnitz-Str. 3, D-76131 Karlsruhe

E-Mail: florian.idelberger@xxxxxxx

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft


Am 12.03.2025 um 15:20 schrieb Dick Brooks <dick@xxxxxxxxxxxxxxxxxxxxxxxxx>:
 
Free and open access to a Trust Registry for the public to query a “cybersecurity label”  is a critical success factor to ensure that people are buying and using trustworthy products.
 
Write access to the “Trust Registry” is closely guarded and monitored in order to ensure high integrity and maximum trust by the public.
 
Thanks,
 
Dick Brooks
<image007.png>  <image008.png> <image009.png>
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership
 
Risk always exists, but trust must be earned and awarded.™
Tel: +1 978-696-1788
 
 
From: Idelberger, Florian (IIWR) <florian.idelberger@xxxxxxx> 
Sent: Wednesday, March 12, 2025 10:16 AM
To: dick@xxxxxxxxxxxxxxxxxxxxxxxxx; Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] FYI UK Government report on OSS trust - gaps
 
We have recently submitted a proposal for a research project would develop sth like this. Which would be open and accessible, if funded and deployed.
 
-- 
Dr. Florian Idelberger


Karlsruher Institut für Technologie (KIT)
Zentrum für Angewandte Rechtswissenschaft (ZAR)
Institut für Informations- und Wirtschaftsrecht
Vincenz-Prießnitz-Str. 3, D-76131 Karlsruhe

E-Mail: florian.idelberger@xxxxxxx

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft



Am 12.03.2025 um 15:06 schrieb Dick Brooks via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>:
 
FYI:
 
A UK Government report on open source software contains some very specific findings and recommendation to establish trustworthiness in open source software:
 
4.1.3 Trust in Open-Source Software
Trust in OSS is a critical concept when adopting OSS components. How does one
come to trust an OSS component? More often than not, “there is no sound basis
for trust in the Software Ecosystems (SECO) hubs”, with trust being considered
“founded or unfounded” (Hou et al., 2022).
 
Outside of academic papers, trustworthiness wasn’t mentioned in any of the best
practices we reviewed.
 
This is a significant gap in the best practices landscape, as trust plays a vital role
in adopting OSS components.
 
This is precisely why a SCITT Trust Registry is essential, to serve as a trust anchor for trustworthy software products with specific cybersecurity labels providing justification for a “trust score” in the registry, which the buying public can query before buying a product.
 
The US Coast Guard is planning to implement a “Trust Registry” of approved products, which limits which products can be installed in IT and OT systems used by the US Coast Guard:
 
I’m doing a presentation to the US NASA and the US Department of Energy (DOE) on March 21 on this very topic of SCITT Trust Registries to identify trustworthy products that have passed a risk assessment and may be installed in IT and OT systems.
Trustworthiness of a product will be based on NIST SCRM best practices contained in CISA’s Secure Software Acquisition Guide, https://cisa.gov/sag
 
Am happy to share my March 21 slides with any that request them.
 
 
 
Thanks,
 
Dick Brooks
<image007.png>  <image008.png> <image009.png>
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership
 
Risk always exists, but trust must be earned and awarded.™
Tel: +1 978-696-1788
 
 
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit 
https://accounts.eclipse.org


Back to the top