inspiring CISA's Secure by Design principles and best practices described in the CISA Software Acquisition Guide for Government Enterprises; https://cisa.gov/sag using evidence data submitted to CISA's RSAA portal.

BCG's mission is to operate the highest integrity software product "Trust Registry in the world, SAG-CTR using a community "Trust Trinity" design following IETF SCITT registration policies, supporting the US Cyber Trust Mark to protect consumers from risky software products and other needs when the verification of trust is essential, such as Zero Trust implementations (Never trust, always verify). BCG is an American "Owner Backed" software engineering company located in Westfield, MA that uses American labor to create the SAG-PM™ and SAG-CTR™ products and services to detect and warn ofcyber business risk in digital products, especially CISA KEVs and enable consumer to check the trustworthiness of digital objects on the Internet.

BCG is a leader in the paradigm shift from cybersecurity thinking to the more comprehensive "Cyber Risk Management" concepts designed to protect Businesses from cyber risk, broadly.

BCG believes that "Risk always exists, but trust must be earned and awarded and verifiable in SAG-CTR".

A concise answer to "What does BCG do?" is available here: https://businesscyberguardian.com/

The patented SAG™ Methods and SAGScore™ trust score for app stores (US 11374961) and Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™) software supply chain risk assessment application has continued to evolve and improve, and now stands at version 2.1.1, with support for both SPDX and CycloneDX SBOM formats and CISA's Secure by Design principles and practices, described in the CISA Software Acquisition Guide, published August 1, 2024. SAG-PM™ has been developed to help protect small and medium sized companies from malicious software objects and untrustworthy parties that may have compromised the integrity of a software supply chain, preventing the installation of bad, harmful software, i.e. ransomware, into an operational system. REA has become the de-facto testing partner for the NTIA SBOM community, serving in the role of a software consumer for SBOM interoperability testing with numerous software vendors. REA is an IEEE Entrepreneurship Program Member and an Amazon Web Services (AWS) Activate Company. REA is an active Member of the DHS CISA Critical Manufacturing Sector Coordinating Council (CMSCC), DHS CISA ICT_SCRM Task Force, Software Assurance Work Group developing tools to help small and medium businesses secure their software supply chains and prevent the installation of ransomware and other malware and the IETF Supply Chain Integrity Transparency and Trust (SCITT) work group. Never trust software, always verify and report!™

SAG-PM™performs a patented (US 111374961) software supply chain risk assessment process containing seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply chain. A SAGScore™ is conceptually similar to a FICO Score, but for software trustworthiness of a software object to perform as expected. When applied to apps on app stores the SAGScore™ gives a software consumer visibility into the trustworthiness of each app, which can help consumers decide which app to install from a set of search results, based on the highest SAGScore™. These seven steps implement best practices to augment NERC CIP-010-3 software verification standards by applying the NIST Cybersecurity Framework V1.1 and the NTIA Software Bill of Materials (SBOM) standards recognized by the Department of Commerce NTIA SBOM initiative. The May 12, 2021 Cybersecurity Executive Order, 14028, mandates that Federal Agencies and Departments require all software vendors of critical software to provide SBOM's as part of their software product distributions. An SBOM will enable Federal buyers of software products to conduct a software risk assessment, using SAG-PM™, to determine the trustworthiness of a software package, prior to installation. This "proactive" risk assessment can detect harmful malware, such a ransomware and other nefarious software, preventing it from being installed in a digital ecosystem, where it can cause damages.

An AWS cloud based SAGServer™ provides database and other support services to the SAG-PM™ software application, including a List of Trusted Software Objects in the SAG-CTR™ Community Trust Registry along with their SAGScore™, that have been digitally signed, which the SAG-PM™ user community has identified as trustworthy. Software products that receive multiple trust registrations from the SAG-PM™ end user community can receive the SAG-STAR™ label to indicate their high level achievement of trustworthiness. The new SEC cybersecurity rules are placing more responsibility, and liability for cybersecurity controls/protections on Officers and Directors. The SAG-CTR includes a "Secure Evidence Locker" where tamper-proof evidence of proactive cybersecurity controls to monitor for CISA Known Exploitable Vulnerability (KEV) risks in software assets is stored to aid Officers and Directors in mounting a defense against any shareholder lawsuits, in the event of a cyber-incident, that must be report within 96 hours under the SEC Cybersecurity rules that go into effect December 2023. The SAG user documentation also includes an appendix containing a description of processes, policies and practices for cyber-risk detection and risk management in the software Supply Chain, i.e., CISA KEV's,needed for disclosure to the SEC, starting in December 2023.

REA has open-sourced its, free to use, Vendor Response File Format and Vulnerability Disclosure Report XML schemas to help software vendors and consumers exchange critical information required to meet Executive Order 14028 and the new "SBOM Bill" making its way through Congress, H.R. 4611; A sample use case showing all required evidence data for a comprehensive risk assessment is available online at: https://github.com/rjb4standards/REA-Products/tree/master/C-SCRM-Use-Case

open source XML VRF and NIST Vulnerability Disclosure Report (VDR) schemas are available here: https://github.com/rjb4standards/REA-Products

REA is a proud member of the IEEE Entrepreneurship program and an Amazon Web Service (AWS) Activate partner.

Never trust software, always verify and report!™