No more mention of VDR in latest version of NIST SP 800-161 #334
Comments
|
Thanks for identifying this. I’ll get the page updated in a few days |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Re-reading @stevespringett article on the OWASP website (https://owasp.org/blog/2023/02/07/vdr-vex-comparison), and searching for the authoritative reference regarding VDR, I noticed that the NIST SP 800-161, originally from 2015, have been superseded:
https://csrc.nist.gov/pubs/sp/800/161/r1/final
The new revision can be found here, published in May 2022, so after @stevespringett article, but including updates as of 11-01-2024 (sic):
https://csrc.nist.gov/pubs/sp/800/161/r1/upd1/final
...and in this document, all reference to VDR disappeared. The revision history at the end does not specifically mention this change. I have no idea of the motivations behind this (unfortunate IMHO) removal. I must still have the original SP in my archive, I'll try to dig deeper in the section modified. On a higher level the update of this SP as a whole seem to be coming from the EO 14028.
Whatever the reason, as of today, at least this mention of this NIST SP is out of date in this repo:
https://github.com/OWASP/owasp.github.io/blob/main/_posts/2023-02-07-vdr-vex-comparison.md
There might be other references elsewhere, including other CDX repos. Noticed in BOM examples too:
CycloneDX/bom-examples#54
Note that I do not consider that this makes the VDR concept obsolete. Just that the NIST can't be referred to, except for historical purposes.
The text was updated successfully, but these errors were encountered: