Another OASIS Brand opportunity courtesy of US Gov

The Federal Register today contains https://www.federalregister.gov/documents/2023/10/03/2023-21328/federal-acquisition-regulation-cyber-threat-and-incident-reporting-and-information-sharing which proposes changes to Federal Acquisition Regulations (FAR) ie how the USG buys the $1T worth of things they buy each year. There are several provisions in the proposed changes which benefit OASIS (or conversely which are made possible by OASIS standards – the benefit to OASIS comes if we make sure people associate our work with our brand.

Although not called out by name, STIX is crucial for the Security Incident Reporting changes to the FAR. Even if companies don’t report using STIX, the USG will need to convert them to STIX since they have already standardized on STIX for information sharing between USG and ISACs.

Again, although not called out by name, CSAF is integral to being able to require the SBOMs and make use of them as specified by the new FAR regs.

I suggest OASIS staff have an OASIS response to the call for comments. Note all comments will be public and if nothing else it could be a brief marketing blurb to the non-gov readers of the comments. But more importantly, it will establish the OASIS brand with the USG readers of the comments.

I also recommend the board members liaison with their public affairs offices and gently influence their company comments. I expect most companies will comment against these changes, and how they will be costly, etc. I honestly believe they will benefit society at large – ie the costs will be worth it. Even if your company position is hostile to these changes, it might still be possible to get shoutouts to OASIS in it (eg. “If you are going to make us do this, let’s all use a standard like OASIS STIX for sharing info and OASIS CSAF for sharing vulnerability info)”.

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

board-busdev-thought-leaders message