Indeed. At least for the contractual requirement, the KEV format (BCP-07) can be used to inform customers (even if the KEV is not disclosed outside the customer-vendor relationship). I suppose some extension in the KEV assertion can be indeed added.
By the way, I did a quick mapping of CRA obligations and how GCVE can support it at the following location:
If you have any feedback or updates, feel free. Thank you!
The CISA ICT_SCRM Task Force struggled with role names, like Vendor, Producer, Manufacturer, Supplier, et al when the CISA Software Acquisition Guide was produced. It was decided to go with “Supplier” in order to support both commercial and open source scenarios - you can see how this matter was addressed in the CISA SAG (page 2 blue box key terms); https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf
It’s a pretty good document for the procurement aspect which is often neglected. I’m curious if we could generate a machine parseable output of all the controls points. Do you know the license of the document? and if we can freely reuse/redistribute the content? It’s clearly outside the KEV BCP-07 but it could be useful as reference point for the BCP-02 at least in the GCVE ecosystem.
A machine readable version of the CISA SAG controls is already available, along with an open source reader to process “batches” of SAG-spreadsheet responses in Excel format;
CISA SAG Spreadsheet: https://www.cisa.gov/sites/default/files/2024-08/PDM24064%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20Consumers%20Final-%2020240710_v19.xlsx
CISASAGReader tool: GitHub - rjb4standards/CISASAGReader: Python app to read CISA Software Acquisition Guide Spreadsheets based on CISA format https://cisa.gov/sag
A short overview presentation of the CISA SAG is also available here: https://github.com/rjb4standards/Presentations/raw/refs/heads/master/FINAL-CANDIDATE%20JAN292026%20CISA%20Secure%20by%20Design%20Software%20Acquisition%20Guide%20(.pptx
You may also want to take a look at the open source Product Vulnerability Disclosure Report (VDR) format REA-Products/JSON-SCHEMAS/SAG-VDR-SCHEMA.json at master · rjb4standards/REA-Products · GitHub ; both the BCP-07 and open source VDR formats may be considered as part of the work underway in the US Energy industry to address the “CVE blind spot", https://www.naesb.org/pdf4/n_weq_bps_css022426a.doc
All are free to use