►
From YouTube: Security Tooling Working Group (May 9, 2023)
A
B
B
Cool
well
I
guess
we
will
join.
Are
we
going
to
sort
of
skip
off
by
one
and
change
the
Cadence?
Anyone
know
where
are
we
going
to
sort
of
go
two
weeks.
C
Yes,
he
actually
did
say
that
well,
he
could
cancel
it
or
leave
it,
depending
of
who
wanted
to
attend,
but
I
think
we
expect
very
low
attendance
today.
B
I
can
flag
that
we're
going
to
have
an
s-bama
Rama
in
on
June
14th
in
LA,
and
that
will
also
be
virtual
and
and
we'll
have
the
official
announcement,
hopefully
by
the
end
of
this
week.
But
to
and
the
goal
there
is
to
have
a
sort
of
holistic
view
of
all
the
different
moving
pieces
in
the
s-bomb
community.
B
Heavy
on
what
we're
doing
here
at
cisa
and
across
the
US
government
we'll
have
someone
from
the
Japanese
government
will
hear
from
some
sectors
like
automotive
and
Healthcare,
maybe
Finance
so
that'll
be
June
14th
in
La
and
I.
Will
anyone
who
wants
that
announcement
will
make
sure
to
circulate
it
widely.
B
Yes,
we're
we're
going
for
that
it'll
be,
but
it'll
be
a
full
day
meeting
so
again,
I'm,
never
quite
sure
who
actually
watches
you
know
recordings
of
five
hours
of
teams
meetings,
but
I
think
talking
here.
I
think
it
would
be
good
to
get
someone
to
give
a
high
level
overview
of
what
openness
sep
is
doing
around
that
spawn.
B
And
then
the
other
thing
I
will
flag
that
is
s-bomb
relevant
is
in
case
you
did
not
see
it.
The
U.S
government
issued
our
first
wave
of
actual
implementation
for
the
executive
order
and
again
this
is
for
more
for
commercial
providers
rather
than
the
open
source
side
of
things,
and
so
what
that
is
is
right.
B
The
executive
order
in
2021
said,
if
you
want
to
sell
to
the
US
government,
you
need
to
give
us
government
in
espan
that
slowly
transformed
through
a
couple
of
different
other
government
levers
to
a
self-attestation
form,
and
this
isn't
attestations
like
in
Toto,
attestations,
it's
old
school,
you
check
a
box
and
sign
at
the
bottom
say:
you're
not
lining
lying,
and
the
requirement
is
that
you
have
to
attest
that
you
are
tracking
the
Providence
of
your
third
party
software,
if
you're
selling
on-premise
software
to
the
US
government,
and
if
anyone
wants
to
know
more
about
that,
I
can
send
you
the
the
form
on
that
here.
C
C
B
I
will,
let's
see,
we've
got
agenda
and
then
we
have
notes.
B
I
had
enough
going
on
this
week
that
I
actually
had
to
cancel
my
trip
to
Vancouver
I
was
supposed
to
go,
but
a
few
too
many
things
going
on
so
sent
my
to
my
team.
All
right
updates
from
your
friends
in
the
U.S
government.
B
B
So
right
now
it
is
a
draft
form
for
people
to
see
it.
Let
me
just
there
we
go
so
there's
a
bunch
of
stuff
about.
What's
the
purpose
of
filling
out
this
form-
and
this
form
is
essentially
for
agencies
that
are
buying
things
from
software
vendors
and
it
explicitly
says
in
s-bomb
you
there's
policy
that
explicitly
says
you
don't
have
to
give
an
agency
or
any
sorry
take
a
step
back.
B
This
document
is
meant
to
be
used
by
federal
agencies
when
they
buy
software,
and
so
it's
you
know
Department
of
State
Department
of
energy
when
they
buy
something
they
have
to
get.
This
form
filled
out.
This
form
has
a
number
of
requirements
such
as
you
have
to
attest
that
you're
separating
and
protecting
each
environment
with
building
software
that
you
have
multi-factor
authentication
across
your
environments,
basic
stuff,
that
pretty
much
every
organization
should
be
using.
B
The
part
that
is
s-bomb
relevant
is
here.
Software
producer
maintains
provenance
data
for
internal
and
third-party
code,
incorporated
into
the
software.
D
B
B
So
that's
the.
If
you
look
at
this
so
This
Clause
is
which
part
of
executive
order
14028
and
I
apologize.
This
is
very,
very
gov
heavy
right.
This
is
meant
to
be
consumed
by
all
the
lawyers
working
for
software
companies.
It
explicitly
says
this
says:
have
an
s-bomb.
This
says
a
lot
of
stuff.
That
is
a
little
confusing,
but
this
is
the
relevant
piece
and
I'll
paste
this
in
the
document
as
well
in
the
notes.
B
Yes
and
let
alone
send
it
signed,
and
so
the
the
the
high
level
vision
is
right,
the
it
it
won't
go
well,
if
we
ask
for
things
that
only
a
few
people
can
do
today,
right
as
much
as
I
would
love
to
require
in
Toto
at
testations.
B
How
many
organizations
can
do
that
today,
but
we
still
want
to
maintain
forward
progress
and
actually
make
sure
that
no
one
is
selling
when
they
don't
know
about
it.
A
D
D
B
Yeah
right
today
we're
going
for
sort
of
the
good
faith,
actor
side
of
things
and
part
of
that
is
right.
The
tools
aren't
perfect,
especially
when
you
move
away
from
Advanced,
Cloud
native
and
into
ship
software,
and
then
the
other
piece
is
right.
What's
your
risk?
Is
your
risk
people
buying?
Is
your
risk?
Hey
we're
worried
about
someone
lying
to
the
US
government?
B
Well,
there
are
a
lot
of
other
problems
that
are
going
on
if,
if
you're
you
know,
if
your
company
is
willing
to
lie
to
the
US
government
to
get
a
contract,
are
you
worried
about
someone
tampering
with
the
software
or
tampering
the
build
process?
That's
a
legitimate
concern,
but
how
many
organizations
are
equipped
to
actually
detect
that
today
again,
especially
for
enterprise
software
or
industrial
control
system,
software
specialized
medical
stuff?
So.
B
Yes,
that
is
a
good
question
of
when
it
will
actually
go
and
I.
Don't
think
we
have
that
timetable.
I
think
this
here,
let
me
put
the
deadline:
where
is
the
deadline
for
comments
60-day?
Of
course,
thank
you.
Yeah.
B
B
B
All
right
I
will
glad
that
I
got
to
share
that
with
at
least
a
few
people
and
I
think
everyone
now
can
return
to
everything
else
that
is
piled
up
on
their
plates.