Member since: 2018

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I provide SBOM and VEX consulting for service providers and software end users. I lead an informal group of SBOM industry leaders, which was formed to address a few serious problems that are currently preventing widespread distribution and use of SBOMs, especially the "naming problem". We are preparing to promote a solution to that problem.

I have extensive consulting experience with the NERC CIP cybersecurity standards, and especially the CIP-013 supply chain cyber risk management standard. I have worked with a number of electric utilities on CIP-013, as well as with suppliers to the power industry that need to "comply" with the standard.

I write a widely-followed blog which focuses on all of the above topics: . This fall, I will publish "An introduction to SBOMs and VEX", which will be available on Amazon.