<div dir="ltr"><div><div>In the USA on Thursday, Rep Royce introduced a bill: H.R. 5793, the "Cyber Supply Chain Management and Transparency Act of 2014.”  </div><div><br></div><div>GAME CHANGER? This is directly inline with what so many of us have focused on and inline with the mission of raising software security more here</div><div><br></div></div><div><div><font><span style="background-color:rgba(255,255,255,0)">The actual Bill:</span></font></div><div><a href="http://www.gpo.gov/fdsys/pkg/BILLS-113hr5793ih/pdf/BILLS-113hr5793ih.pdf" style="background-color:rgba(255,255,255,0)" target="_blank"><font color="#000000">http://www.gpo.gov/fdsys/pkg/BILLS-113hr5793ih/pdf/BILLS-113hr5793ih.pdf</font></a></div><div><br></div><div><font><span style="background-color:rgba(255,255,255,0)">TL;DR</span></font></div><div><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><span style="font-weight:bold;background-color:rgba(255,255,255,0)"><font>1) Ingredients:</font></span></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)">Anything (HW/SW/FW) sold to $PROCURING_ENTITY must provide a Bill of Materials of 3<span style="vertical-align:super">rd</span> Party and Open Source Components (along with their Versions)</span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><span style="font-weight:bold;background-color:rgba(255,255,255,0)"><font>2) Hygiene & Avoidable Risk:</font></span></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)">…and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY)</span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><span style="font-weight:bold;background-color:rgba(255,255,255,0)"><font>3) Remediation:</font></span></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)">…and must be patchable/updateable – as new vulnerabilities will inevitably be revealed (within a reasonable timeframe).</span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)">--- </span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)">This is an important step in the right direction that started in the trenches and has gone up the tree...(there are many trees)</span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)">Continued awareness and pressure is requested -- do you know how a bill becomes a law in the USA -- here is a little video to explain it <grin></span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><a href="http://m.youtube.com/watch?v=Otbml6WIQPo" target="_blank">http://m.youtube.com/watch?v=Otbml6WIQPo</a><font><span style="background-color:rgba(255,255,255,0)"><br></span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><br></p><div><a href="http://proactiverisk.blogspot.com/2014/12/cyber-supply-chain-management-and.html" target="_blank">http://proactiverisk.blogspot.com/2014/12/cyber-supply-chain-management-and.html</a></div><div><br></div><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)"><br></span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)"><br></span></font></p><p style="margin-top:4.8pt;margin-bottom:0pt;margin-left:0in;text-indent:0in;direction:ltr;vertical-align:baseline"><font><span style="background-color:rgba(255,255,255,0)"><br></span></font></p><div><span style="background-color:rgba(255,255,255,0)"><br></span></div></div></div>
</div>