From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 577413858412; Wed, 28 Sep 2022 12:48:12 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 577413858412
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1664369292;
	bh=saa3RHCUGiN155CoV7xB6Bu8uJb/n5/TzSwXNK/cBt4=;
	h=From:To:Subject:Date:From;
	b=Kw1oaQVOP2ul/p6aOtrzUKhUMFL54YuJVtX7gKGo5lSIUoT4nSYT+a2kC4Owtm3vI
	 vzqDx4W4yLofO+FNkNCkCJ0eIKq0K4TuswPCzo1+GPG5PTdLA154Ip1qE7c7W8X56w
	 YYLpsKxqgLz5u8gV2UAjK4OKwTG3NcBl0xXzRtV8=
From: "carlos at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: overseers@sourceware.org
Subject: [Bug Infrastructure/29629] New: Does the server need to meet NIST SP
 800-53?
Date: Wed, 28 Sep 2022 12:48:11 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: sourceware
X-Bugzilla-Component: Infrastructure
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: carlos at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: overseers at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-29629-14326@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <overseers.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D29629

            Bug ID: 29629
           Summary: Does the server need to meet NIST SP 800-53?
           Product: sourceware
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Infrastructure
          Assignee: overseers at sourceware dot org
          Reporter: carlos at redhat dot com
  Target Milestone: ---

This was raised at GNU Tools Cauldron 2022 in the discussions around increa=
sing
secure supply chain requirements.

Do the upstream servers providing sources for projects need to meet
requirements like NIST SP 800-53?

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Even if we don't need to meet the requirements, does meeting them help expa=
nd
the usage of FOSS for organizations that adopt the standards?

Note that github does meet a variety of NIST standards as part of their ser=
vice
offerings:
https://government.github.com/fedramp-faq

Gitlab also provides projects with the ability to comply with various NIST
standards:
https://about.gitlab.com/blog/2022/03/29/comply-with-nist-secure-supply-cha=
in-framework-with-gitlab/

--=20
You are receiving this mail because:
You are the assignee for the bug.=