# CISA RSAA: a Transparency Service? <style> .reveal { font-size: 24px; } </style> --- ## Disclaimer - I'm a SCITT enthusiast - Not here to represent my employer - Even so, [what I say is](https://www.nist.gov/disclaimer) - not a formal policy - never an endorsement of commercial products --- ## SCITT Community - [Website](https://scitt.io) - [Code for website and other projects](https://github.com/scitt-community/) - [Code of conduct](https://github.com/scitt-community/governance/blob/main/org-docs/CODE-OF-CONDUCT.md) --- ## What is RSAA? - RSAA = [Repository for Software Attestations and Artifacts](https://www.cisa.gov/resources-tools/resources/repository-software-attestations-and-artifacts-rsaa-user-guide) - Made by [CISA](https://cisa.gov) for their software security initiatives - President and executive-level backing - [M-22-18](https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf) - [M-23-16](https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security.pdf) --- ## SCITT perspective: the good parts - There are separate roles - Software producer (Issuer?) - Federal user (Verifier? Auditor?) - Federal admin (???) - Different roles can upload attestations - There is [some documentation](https://www.cisa.gov/sites/default/files/2024-03/CISA_RSAA_User_Guide_18_March_2024.pdf) --- ## SCITT perspective: could be better parts - Roles are inflexible - Data only accessible through app (no API) - No verifiable linkage of data from identities, regardless of role --- ## Conclusion - RSAA _is maybe_ a transparency **web app**. - It is _not_ a transparency service. - Does that matter? You tell me. 😅 --- ## Questions? ---