Collaborative Working Sessions - NIST, Governments, and standards

NIST, Governments, and standards Notes

Jarl Gullberg

standards from what has been done for a long time vs industry standard goal: make it easy to implement, interoperate, verifiability gov: e.g. vuln-reporting ; usually abstract good: NIST SSDF, actionable, not overly specific: describes outcomes, model,…

what outcome? being able to reproduce binaries independently why? CIA + non-repudiation + traceability correctness, integrity, availability correctness: avoid build-time race-conditions integrity: make it tamper-proof traceability: because we are imperfect and need to improve after a failure availability: because r-b ensures artifacts can be produced later/elsewhere non-repudiation: because we need to know who did what

need to reduce effort to implement via anti-bikeshedding consuming 3rd party binaries, need trust. Attestation vs audit (effort/price) reference-implementations do help.

scope: Transformation from any source material through a set of tools into output artifacts, in a deterministic way

it is easier to add users to ?

=> need to find existing standards with users especially standards with consideration for security

1. outcome
2. guidelines (e.g. use hermetic environment)
3. example implementations

ToDo: create an inventory of national standards aligning with r-b outcomes so that we can influence standards process + docs to create demand for r-b, so that investment into r-b happens as a result

formalizing conformance testing to r-b in ecosystems

standards provide a shortcut / framework for reasoning about outcomes. e.g. governments know they want resilient secure software for critical infrastructure, but they don’t know that they need r-b for that.

convergence towards common approaches

watch for and engage with emerging standards, become part of the working group (e.g. CRA(cyber-resilience), SLSA)

Add website docs for standards bodies / workgroup engangement / vendor partnering

Create our WG

previous summit: https://reproducible-builds.org/events/hamburg2024/ReproducibleSummit2024EventDocumentation.pdf page 44

Sketch page

Developers of software System designers Operators Security experts Auditors Researchers

Hermetic Determinism

Tamper proof (integrity) Availability Non-repudiation Traceability (providence) Interoperability Correctness

Spec -> publish, advocate, engage Lobby -> NIST -> educate

Getting standardization bodies to care about reproducible builds

We care about standards because

• Standards are a framework for reasoning about outcomes
• They act as shortcuts to solution design
• They encourage convergence on common approaches

Reproducibility is a means to achieving these outcomes

• Tamper-resistance (integrity)
• Availability
• Non-repudiation
• Traceability
• Correctness

These are well-known terms of art within existing security and safety standards, coalesced around security and resilience.

The road to standardization

• We want to attach and map to existing standards, working top-down to document and align on de jure directives
• We want to normalize solutions in the ecosystem, working bottom-up to form de facto implementations
• We want to watch for and engage with emerging standards, such as the Cyber Resiliency Act

Next steps

• Make an inventory of national, international, industrial, and ecosystem standards to identify applicable areas of work
• Mapping reproducibility outcomes to requirements in applicable standards

• Picking one and doing it!

  • SLSA is an existing standards body with a known focus on reproducibility

  • The CRA is a set of emerging standards with opportunities for advocay and adaptation

• Create a working group to drive the work