sunstonesecure-robert

not sure how to override spelling since it's not a mistake, it's a project name (sigstore)?

we would need the chairs (@tabbysable) to weigh in on the conflict of interest declaration. since I added it into the original SAFE process way back when, I definitely like...

would one also need to review and include the POA&M items that might be associated with the component I am using? associated 3rd party connected systems, and maybe even SBOM?

the current guidance from the PMO as I understand it is to use MAX.gov and drop the OSCAL file where you would ordinarily drop the Word or Excel file. If...

I would scope this not at a "Kubernetes" system level - but to each "component" of K8s - ie this should probably be tightly coordinated (if not coupled) to the...

several issues on CIS/CRM end up linked here, but the details in those issues are great, and this seems to be more of a catch-all. Github handles all the linkages...

is this a real problem or hypothetical? (details not needed) I am genuinely (academically) curious since I have been discussing the open source culture with academics and other "culture" SMEs...

> Chairship is not about being an expert on the technical details. It's about organizing the SIG as a co-chair on a very small WG (policy) I agree with that!...

[we](https://github.com/kubernetes/sig-security/tree/main/sig-security-external-audit) recently finished the K8s external audit - awaiting release of report for community review - and are folding methodological lessons learned into a threat modeling HOWTO for K8s sub-projects...

> Deliver the whole OSCAL-based SSP each month with the OSCAL POA&M this is what we are going with for now