CISA proposed definition for "security support" as part of NCSIP Initiative 3.3.2 #51
Labels
tc-discussion
Further TC discussion is needed
Comments
|
I looked at the definition and it feels like there is a viewpoint issue (but that might be because I'm not a native speaker): IMHO, "support" is not an "expectation". That something is supported could fuel the a reasonable expectation that their will be a predictable, effective response to a new security risk. But the support itself isn't the expectation. The announcement of security support provides the expectation. The expectation is more on the customer side, the support (promise) on the vendor side. So maybe a better definition would be: "Security support": Promise that a user can reasonably expect a predictable, effective response to a new security risk. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of the National Cybersecurity Strategy Implementation Plan, Initiative Number 3.3.2 "Advance software bill of materials (SBOM) and mitigate risk of unsupported software", the US Cybersecurity & Infrastructure Security Agency (CISA) is tasked to "...explore requirements for a globally-accessible database for end-of-life/end-of-support software...", including the value it could provide (or not provide), use cases, requirements, and feasibility.
CISA is proposing the following definition for the term "security support":
"A reasonable expectation of a predictable, effective response to a new security risk."
Alignment with the efforts of the OpenEoX TC is a priority, and CISA welcomes any feedback re: the proposed definition from the TC.
The text was updated successfully, but these errors were encountered: