Advancing the adoption of SBOM in Energy by open sourcing Vendor Response XML schema supporting NERC CIP-013-1 Standard

Software vendors and customers benefit from having a single, automated solution for software supply chain responses to questionnaires, eliminating the need to process different formats”

— Dick Brooks

WESTFIELD, MA, USA, September 28, 2021 /EINPresswire.com/ — Today, Reliable Energy Analytics, LLC (REA) is pleased to announce the open sourcing of its SAG-PM (TM) Vendor Response XML schema for NERC CIP-013-1 compliance and for software vendors to easily address customer supply chain questionnaire responses, in an automated manner. The open-source SAG-PM (TM) Vendor Response XML schema is available on GitHub at https://github.com/rjb4standards/REA-Products/raw/master/SAGVendorSchema.xsd

Today’s announcement also helps software vendors and their software consumers adopt NTIA compliant SBOM formats by providing a simple method to identify the download location of a product’s SBOM and its SBOM description details, i.e., format, version, etc. The response file also provides a software consumer with all of the evidence needed to show compliance, e.g., during a NERC CIP-013 audit. The new, open-source schema contains other useful information that a software consumer may find useful on a per product basis, for example, an indicator for known vulnerabilities, Commercial Status, Support Status and other data to help manage software asset inventories and proactively prevent malware from being installed.

Software vendors no longer need to produce multiple, unique, customer questionnaire responses to customer inquiries during software supply chain vetting. A software vendor can provide all of its customers with a comprehensive response to all questionnaires using this one Vendor Response method. Software consumers also find benefit in having this standardized, automated response file format, eliminating the need to process different vendor response formats and content. The Vendor Response XML schema contains explicit, defined semantics for critical information, such as a product’s support status and commercial status.

REA welcomes all software vendors to download the open-source XML schema and provide their customers with a consistent and complete Vendor Response XML file that is accessible through an access-controlled customer portal owned by the vendor, to prevent unauthorized access to this sensitive data. REA also encourages software vendors to contribute to development of the open-source XML schema in order to improve on the benefits it provides.

