Call for Participation: OASIS Common Security Advisory Framework (CSAF) TC

A new OASIS technical committee is being formed. The OASIS Common Security Advisory Framework (CSAF) Technical Committee (TC) has been proposed by the members of OASIS listed in the charter below. The TC name, statement of purpose, scope, list of deliverables, audience, IPR mode and language specified in this proposal will constitute the TC's official charter. Submissions of technology for consideration by the TC, and the beginning of technical discussions, may occur no sooner than the TC's first meeting.

The eligibility requirements for becoming a participant in the TC at the first meeting are:

(a) you must be an employee or designee of an OASIS member organization or an individual member of OASIS, and

(b) you must join the Technical Committee, which members may do by using the Roster "join group" link on the TC's web page at [a].

To be considered a voting member at the first meeting:

(a) you must join the Technical Committee at least 7 days prior to the first meeting (on or before 10 November 2016) and

(b) you must attend the first meeting of the TC, at the time and date fixed below (16 November 2016).

Participants also may join the TC at a later time. OASIS and the TC welcomes all interested parties.

Non-OASIS members who wish to participate may contact us about joining OASIS [b]. In addition, the public may access the information resources maintained for each TC: a mail list archive, document repository and public comments facility, which will be linked from the TC's public home page at [c].

Please feel free to forward this announcement to any other appropriate lists. OASIS is an open standards organization; we encourage your participation.

----------

[a] https://www.oasis-open.org/apps/org/workgroup/csaf/

[b] See http://www.oasis-open.org/join/

[c] http://www.oasis-open.org/committees/csaf/

----------

CALL FOR PARTICIPATION

OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter

The charter for this TC is as follows.

Section 1: TC Charter

(1)(a) TC Name

OASIS Common Security Advisory Framework (CSAF) Technical Committee

(1)(b) Statement of Purpose

The current threat landscape combined with the emergence of the Internet of Things have profoundly changed how we protect our systems and people, driving us to think about a new approach to cybersecurity, especially around vendor advisories dealing with vulnerability disclosure issues. The purpose of the CSAF Technical Committee is to standardize existing practice in structured machine-readable security vulnerability-related advisories and further refine those standards over time.

The TC will base its efforts on the Common Vulnerability Reporting Framework (CVRF) specification originally developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI intends to contribute CVRF to the TC. Prior to creation of the TC, the CVRF standard has been adopted by several technology vendors and MITRE, which produce information in the CVRF format. Additionally, a number of organizations are consuming information produced in the CVRF format. By building upon the existing CVRF standard, the TC can offer immediate value and quickly support future development to improve the interoperability and utility of the framework in support of providing structured machine-readable security advisories.

(1)(c) Scope

The TC will use CVRF 1.1 as the basis for creating OASIS Standards Track Work Products. One important consideration will be attempting to maintain backwards compatibility with CVRF 1.1, where possible, by carefully considering changes to the input specifications and minimizing the impact to existing implementations. Another important consideration will be to ensure that the specification provides for sufficient interoperability to allow any consuming application to reliably process vulnerability-related remediation advisories from multiple sources without special semantic handling for each source.
The TC will develop format specifications for structured, machine-readable security vulnerability-related security advisories under the OASIS TC process, with the goal of submitting them at the appropriate time to the membership of the organization for consideration as an OASIS Standard. Other contributions will be accepted for consideration without any prejudice or restrictions and evaluated based on technical merit insofar as they conform to this charter.

(1)(d) Deliverables

The TC will make substantive additions and other changes to the CVRF input specification to correct errors and evolve capabilities based on requirements and capabilities identified by OASIS TC members. The TC will rename the framework to more closely align to the primary use (e.g. Common Security Advisory Framework - CSAF). Deliverables will include a major revision of the framework. In addition to the specification deliverables, the TC may deliver supporting documentation and open source tooling on an ongoing basis in support of the TC's published standard(s). The TC expects to produce a major revision of the framework within 18 months of its first meeting.

(1)(e) IPR Mode

This TC will operate under the Non-Assertion IPR mode (https://www.oasis-open.org/policies-guidelines/ipr#Non-Assertion-Mode) as defined in Section 10.3 of the OASIS IPR Policy document (https://www.oasis-open.org/policies-guidelines/ipr).

(1)(f) Audience

The anticipated audience includes providers of products and services that produce, consume, or process security vulnerability remediation information, along with their customers who consume this information.

(1)(g) Language

The TC business will be conducted in English. The output documents will be written in (US) English. Translations to other languages may be made based on interest and ability.

Section 2: Additional Information

(2)(a) Identification of Similar Work

The Common Vulnerability Reporting Framework (CVRF) is a standard originally created by the Industry Consortium for Advancement of Security on the Internet (ICASI). CVRF is an XML-based language that enables different stakeholders across different organizations to share critical vulnerability remediation information in a single format, speeding up information exchange and digestion. The current version is CVRF Version 1.1 was released in May 2012.

There are a number of older advisory format efforts, most of which are defunct. The TC will investigate prior work for potential incorporation. The following are a few examples:

* CAIF: http://www.caif.info/draft-weimer-goebel-caif-requirements.html
* OASIS AVDL: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl
* VULDEF: http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html
* EISPP Common Advisory Format: http://www.cert-ist.com/eispp/documents.htm#common_format

(2)(b) First TC Meeting

The first TC meeting will be held on 16 November 2016 at 17:00 UTC / 1:00 PM EDT / 10:00 AM PDT via teleconference. The teleconference will be hosted by Cisco Systems.

(2)(c) Ongoing Meeting Schedule

Monthly teleconferences will be held until the initial objectives outlined in section (1)(d) have been achieved. The exact schedule for these meetings has not yet been determined. After the initial objectives have been met, periodic meetings will be held to review the future initiatives of the TC. These will happen no longer than one year apart.

(2)(d) TC Proposers

Omar Santos, os@cisco.com (Cisco)
Mark-David, McLaughlin marmclau@cisco.com (Cisco)
Lou Ronnau, lronnau@cisco.com (Cisco)
Troy Fridley, trfridle@cisco.com (Cisco)
Chok Poh, Chok.Poh@oracle.com (Oracle)
Feng Cao, feng.cao@oracle.com (Oracle)
Bruce Monroe, bruce.monroe@intel.com (Intel)
Brian Willis, brian.willis@intel.com (Intel)
Richard Struse, richard.struse@hq.dhs.gov (US Dept. of Homeland Security)
Harold Booth, harold.booth@nist.gov (NIST)
Vincent Danen, vdanen@redhat.com (RedHat)
Art Manion, amanion@cert.org (CERT/CC)
Bret Jordan, bret_jordan@symantec.com (Symantec)
Karen Scarfone, karen@scarfonecybersecurity.com (Individual)

(2)(e) Primary Representatives’ Support

“I, Abhijit Kolhatkar (akolhatk@cisco.com), as Cisco Systems' Primary Representative to OASIS, confirm our support for the OASIS Common Security Advisory Framework (CSAF) Technical Committee proposed charter and the participation of our organization's co-proposers as named above.”

“I, Elaine Newton (enewton@nist.gov), as the NIST Primary Representative to OASIS, confirm our support for the OASIS Common Security Advisory Framework (CSAF) Technical Committee charter and the participation of our co-proposer named in the draft proposal for the new TC.”

"I, Kent Landfield (kent.b.landfield@intel.com), as the Intel Corporation’s Primary Representative to OASIS, confirm our support for the OASIS Common Security Advisory Framework (CSAF) Technical Committee charter and the participation of our co-proposers named above."

“I, Mark Little (mlittle@redhat.com), as Red Hat's Primary Representative to
OASIS, confirm our support for the OASIS Common Security Advisory Framework (CSAF) Technical Committee proposed charter and the participation of our organization's co-proposer, Vincent Danen.”

I, Art Manion (amanion@cert,org), as the CERT/CC and Software Engineering Institute (SEI) Primary Representative to OASIS, confirm our support for the OASIS Common Security Advisory Framework Technical Committee proposed charter and the participation of our organization's co-proposer as named above.

“I, Martin Chapman (martin.chapman@oracle.com), as Oracle’s Primary Representative to OASIS, confirm our support for the OASIS Common Security Advisory Framework (CSAF) Technical Committee proposed charter and the participation of our organization's co-proposers as named above.”

"I, Juan Gonzalez (juan.m.gonzalez@hq.dhs.gov), as DHS Office of Cybersecurity and Communications Primary Representative to OASIS, confirm our support for the OASIS Common Security Advisory Framework Technical Committee proposed charter and the participation of our organization's co-proposer Rich Struse."

“I, Bret Jordan (bret_jordan@symantec.com), as Symantec's Primary Representative to OASIS, confirm our support for the OASIS Common Security Advisory Framework (CSAF) Technical Committee proposed charter and the participation of our organization's co-proposer as named above.”

(2)(f) TC Convener

Omar Santos
os@cisco.com
Principal Engineer, PSIRT
Cisco Systems, Inc.

(2)(g) OASIS Member Section

The TC does not anticipate requesting affiliation with any Member Section at this time.

(2)(h) Anticipated Contributions

The Common Vulnerability Reporting Framework (CVRF) Version 1.1 is expected to by contributed by ICASI (The Industry Consortium for Advancement of Security on the Internet). The current version of CVRF can be found at http://www.icasi.org/the-common-vulnerability-reporting-framework-cvrf-v....

(2)(i) FAQ Document

N/A

(2)(j) Work Product Titles and Acronyms

* Common Vulnerability Reporting Framework (CVRF) Version 1.1
* Industry Consortium for Advancement of Security on the Internet (ICASI)
* Intellectual Property Rights (IPR)
* Organization for the Advancement of Structured Information Standards (OASIS)
* Technical Committee (TC)

Associated TC: 
Common Security Advisory Framework (CSAF)