Robert, We will update the link for the EO to the stable link in the Federal Register.
The SSAC report is hoping to help shape the technical implementation details of some regulations that are already in flight, including the CRA. It appears very likely that BIND, for example, will have to undergo third party process audits under the CRA, required for products with a critical role in network management. What is unknown is how often these will have to be done, and what the audits will consist of. I am not aware of any proposed regulations that include third party validation of the software. The question is whether users think that this type of audit, or the requirements around vulnerability reporting, or encouraging updating, will improve their cybersecurity in practice. We can tell that the CRA, for example, will certainly mean more work for ISC’s software development teams, but we cannot tell whether that is welcomed by our users. It is a serious question - industry places some value on ISO quality certifications, and the CRA is in the same vein. The US Executive Orders, by contrast, seem to mostly use the “carrot” approach, as they are intended to impact US Federal procurement guidelines. Vicky > On Jan 29, 2025, at 6:57 AM, Robert Wagner <rwag...@tesla.net> wrote: > > This is not a good survey... > The 2025 US Executive orders point to a dead links. Use the Federal Registrar > link as it should be there long-term. 2025-01470.pdf > <https://public-inspection.federalregister.gov/2025-01470.pdf> CISA > Federal Register :: Improving the Nation's Cybersecurity > <https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity> > > <https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity> > > Federal Register :: Improving the Nation's Cybersecurity > <https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity> > This site displays a prototype of a “Web 2.0” version of the daily Federal > Register. It is not an official legal edition of the Federal Register, and > does not replace the official print version or the official electronic > version on GPO’s govinfo.gov <http://govinfo.gov/>. > www.federalregister.gov <http://www.federalregister.gov/> > > Federal Register on 01/17/2025 and available online at Nationality Act of > 1952 (8 U.S.C. 1182(f)), and section 301 of > https://federalregister.gov/d/2025-01470 EXECUTIVE ORDER U.S.C. 1601 et seq. > 14144 <https://public-inspection.federalregister.gov/2025-01470.pdf> > 6 develop and publish a preliminary update to the SSDF. This update shall > include practices, procedures, controls, and implementation examples > regarding the > public-inspection.federalregister.gov > <http://public-inspection.federalregister.gov/> > > How can one determine the impact of unknown regulations?? > FYI - If the EU took it upon themselves to analyze every bit of software and > provide a free rating - that may have one outcome. However, if everyone > producing open- source software was required to pay some large sum to get > their software tested (and face fines if they didn't), that would have a > different outcome. > > Regulations can be a carrot or stick approach. > > Software can be buggy but still be very useful/helpful. Malicious software > can be well written (no obvious bugs). > > RW > > From: bind-users <bind-users-boun...@lists.isc.org > <mailto:bind-users-boun...@lists.isc.org>> on behalf of Marc > <m...@f1-outsourcing.eu <mailto:m...@f1-outsourcing.eu>> > Sent: Tuesday, January 28, 2025 3:27 PM > To: Victoria Risk <vi...@isc.org <mailto:vi...@isc.org>>; BIND Users > <bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>>; > 'cnect...@ec.europa.eu <mailto:cnect...@ec.europa.eu>' <cnect...@ec.europa.eu > <mailto:cnect...@ec.europa.eu>> > Subject: RE: Survey on the impact of software regulation on DNS systems > > This email originated from outside of TESLA > > Do not click links or open attachments unless you recognize the sender and > know the content is safe. > > > > > Did you know that there is significant momentum building to regulate > > software, including open source, in at least Europe and the US (and > > possibly elsewhere as well), in order to improve cybersecurity? Do you > > think this regulation will improve cybersecurity for your operations? > > What are the opportunities and pitfalls you can envision? > > > > > > What about regulating standards? What is the point of regulation open source, > when companies like apple and microsoft sabotage third party > software/connectivity by not implementing software according to standards. > Their upgrades miraculously only break third parties implementations and not > their own. > Think eg. of auto provisioning. > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
