Bug 29629

Summary: Does the server need to meet NIST SP 800-53?
Product: sourceware Reporter: Carlos O'Donell <carlos>
Component: InfrastructureAssignee: overseers mailing list <overseers>
Status: RESOLVED INVALID    
Severity: normal CC: fche, mark
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Carlos O'Donell 2022-09-28 12:48:11 UTC 
This was raised at GNU Tools Cauldron 2022 in the discussions around increasing secure supply chain requirements.

Do the upstream servers providing sources for projects need to meet requirements like NIST SP 800-53?

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Even if we don't need to meet the requirements, does meeting them help expand the usage of FOSS for organizations that adopt the standards?

Note that github does meet a variety of NIST standards as part of their service offerings:
https://government.github.com/fedramp-faq

Gitlab also provides projects with the ability to comply with various NIST standards:
https://about.gitlab.com/blog/2022/03/29/comply-with-nist-secure-supply-chain-framework-with-gitlab/
Comment 1 Frank Ch. Eigler 2022-09-28 13:14:09 UTC 
Answering the "does this apply?" question is a regulatory or legal matter if anything.  Do you know?  If not, what is the infrastructure action you propose?

Answering the "would it expand FOSS usage" question is not something we can know, nor an infrastructure matter.
Comment 2 Mark Wielaard 2022-10-06 17:59:54 UTC 
Also note Alexandre's analysis:
https://sourceware.org/pipermail/overseers/2022q3/018881.html

And the actual source releases of the GNU Toolchain projects are primarily done through the FSF gnu.org servers (with sourceware providing backups/mirrors of those).

Best would be to move this kind of questions about NIST recommendations to the FSF or SFC.