Cryptographic proof tools for software supply chains & compliance — signed receipts you can verify yourself, no trust required. cbomcompliance.com
Joined March 2026
- Tweets 379
- Following 52
- Followers 17
- Likes 20
36 Photos and videos
Pinned Tweet
Jun 8
Your SBOM scanner gives you a report.
Reports expire the moment you close the tab.
cbomcompliance.com gives you something different:
✦ A cryptographically signed receipt — RS256, Merkle-committed, immutable
✦ Live CVE intelligence at signing — OSV, NVD, GHSA, EPSS scored
✦ Re-evaluate any old receipt against today's threat data
✦ Compare two receipts — see exactly what changed, what was added, what got riskier
✦ Zero data retention. No account needed.
CMMC Level 2 enforcement starts November 10, 2026.
Auditors don't want your scanner output.
They want proof that can be independently verified years later.
Trust is not declared. It is computed.
cbomcompliance.com
#CMMC #SBOM #CycloneDX #SPDX #SupplyChainSecurity #DevSecOps #CyberSecurity #AppSec #PKI #SoftwareSecurity #InfoSec #VulnerabilityManagement #OpenSourceSecurity #DoD #NIST #EO14028 @Ransom_DB @Chilcano
50
Jun 12
152 days until federal contractors must prove their software is untampered.
Not claim it. Prove it.
Most have no idea what that even means yet.
1
12
Jun 12
Under DFARS 252.204-7021, CMMC Level 2 requires demonstrable software supply chain integrity evidence at assessment time — not a scanner output, not a static SBOM. A cryptographic bill of materials: SHA-384 Merkle commitment over every component, RS256-signed JWS receipt, independently verifiable against a public key, re-evaluatable against live CVE databases without reissuing the original proof. That's what auditors are going to ask for. Generate one free — 3 per day, no account: cbomcompliance.com
41
Jun 11
Everyone's reacting to the Miasma attack with the same advice: rotate your tokens. That's cleanup. It doesn't answer the question that actually matters — how do you prove a package is what it claims to be before it reaches your build?
Because here's the part the coverage keeps burying: those Red Hat npm packages were validly signed. Provenance checked out clean.
They were credential-stealing malware anyway. A signature only tells you who published something. It can't tell you the code still matches its source. That gap is the entire attack.
An SBOM doesn't close it. An SBOM is an inventory — a list of what's in your software. It cannot tell you whether those contents were altered after the fact. Miasma walked straight past inventory-based tooling.
What stops it is a CBOM: a cryptographic bill of materials that fingerprints the actual contents and issues a verifiable receipt that the code hasn't been tampered with — signed-but-tampered included.
That's what we built.
Every check produces a receipt with its own ID and its own fingerprint, independently re-checkable by anyone, at any time. Run it again next week and it tells you if something moved underneath you. It cross-references live vulnerability intelligence as it builds, supports re-checks, and can diff two receipts to show exactly what changed between versions.
You're not trusting a vendor's word, you're holding proof.
And this stops being optional in months, not years. CMMC Level 2 enforcement lands November 10. EU CRA, DORA, NIS2, EO 14028, NIST 800-171 and 800-161 are all converging on the same demand: prove your software supply chain, at procurement, with evidence.
Roughly 300,000 defense contractors are in scope. Most of them have a spreadsheet.
This isn't a concept. It's live, it issues real receipts today, and it was built for the exact gap Miasma exploited. The deadline isn't moving. The attacks aren't slowing. Inventory was never going to be enough.
1
31
Jun 11
CBOM fingerprints package contents to prove no tampering — even in validly signed packages. The exact gap Miasma drove through Red Hat's npm releases. @SocketSecurity @AikidoSecurity @snyksec @bibryam @aviatrixtrc @spchainattack cbomcompliance.com #SupplyChainSecurity #SBOM #Miasma
1
23
Jun 10
Under DFARS 252.204-7021, defense contractors must hold a current CMMC certification as a condition of contract award. Phase 2 enforcement begins November 10, 2026.
Starting that date, self-attestation is no longer sufficient for Level 2 contracts. A C3PAO — an accredited third-party assessor — must independently verify your cybersecurity posture, including supply chain risk management under NIST SP 800-171.
NIST SP 800-161r1 requires verifiable attestation of software composition at procurement and delivery. An SBOM you generated yourself does not satisfy independent verifiability. There is no cryptographic mechanism in the SBOM standard that allows an assessor to verify it matches the software it describes.
A CBOM receipt does. Every component SHA-384 hashed. Binary Merkle tree. RS256/JWS signed by an independent third party. Verifiable offline against a published public key. Zero data retention. If the manifest changes after issuance, the signature fails.
DFARS 252.204-7021 is law. November 10, 2026 is the date.
Free trial — no account required.
cbomcompliance.com
@santoretech @SeraBrynn @secureframe
#CMMC #DFARS #NIST800171 #SBOM #supplychainsecurity #C3PAO
41
Jun 10
Every financial institution processing ISO 20022 messages has the same problem and nobody is talking about it.
You can prove a payment was sent. You cannot prove the message was valid at the moment it was sent.
That distinction is about to matter. SWIFT's MT to MX migration is complete. FedNow is live. ECB TARGET2 mandated it. Regulators across the EU, UK, and US are now requiring financial institutions to demonstrate ISO 20022 compliance — not just process the messages, but prove it.
A log entry proves nothing. An internal timestamp proves nothing. A screenshot proves nothing. Any of those can be altered after the fact and your auditor knows it.
Here's what cryptographic proof of ISO 20022 message integrity actually looks like:
You submit your message. Every field gets individually SHA-384 hashed. Those hashes go into a binary Merkle tree. The root gets RS256 signed and issued to you as a JWS receipt — independently verifiable offline, forever, against a published public key. Your message is immediately discarded. Zero retention.
Present that receipt to any regulator, auditor, or counterparty. They verify it themselves. No phone call. No trust required.
Supports pain.001, pain.002, camt.052, camt.053, pacs.008, pacs.009 and more. Signed receipts from $49.
20022validator.com
@swiftcommunity @FRBservices
43
Jun 10
Auditors are about to reject every SBOM in the defense supply chain.
Here's why — and what replaces it.
An SBOM is a document you wrote about yourself. You listed your own dependencies. You generated the timestamp. You said it was clean. A C3PAO auditor cannot verify any of it independently. It's a claim, not evidence.
What an auditor actually needs:
— Proof of composition at a specific point in time
— An independent third party produced it, not you
— The contents are cryptographically tamper-evident
— Anyone can verify it without contacting you
That's a CBOM receipt. Here's exactly what it is:
You upload your manifest. Every component gets SHA-384 hashed. Those hashes go into a binary Merkle tree. The root — a single cryptographic fingerprint of your entire software composition — gets RS256 signed and issued as a JWS receipt, timestamped and independently verifiable against a published public key. Your manifest is immediately discarded. Zero retention. The protocol itself is anchored to Bitcoin — not your individual receipt, but the specification that governs every receipt ever issued.
The receipt verifies offline. Forever. No network call. No account. No dependency on us existing in 5 years. If a single dependency changes, the Merkle root changes, the signature breaks, and the tampering is detectable.
Come back in 30 days and paste the same receipt — it re-evaluates your original components against current CVE databases and tells you exactly what changed. Same receipt. Current threat intelligence. No other tool does this because no other tool issues receipts. They issue reports. Reports expire. Receipts don't.
CMMC Level 2 enforcement: November 10, 2026. 300,000 defense contractors. Free trial, no account needed.
#compliance #cmmc
@santoretech @SeraBrynn @secureframe
cbomcompliance.com
40
Jun 9
Here's what's shipped across the NextGenRails defense compliance suite this week:
prechained.com
— Bulk capture: submit up to 10 packages at once
— Threat feed cleaned up: known-good maintainers no longer flagged as threats
— Actor intelligence running live, 5-minute intervals
cbomcompliance.com
— Homepage rebuilt: CMMC deadline front and center
— Advanced receipt leads the pricing, $199 recommended for CMMC
— Bitcoin-anchored protocol (not individual receipts — we don't lie)
cuistandard.com
— Completely rebuilt from static PDF to interactive workspace
— Free COPR wizard: 8 questions, get your exact CUI categories and markings
— $29/month unlocks 10 milestones: CUI inventory, system boundary, all 110 NIST 800-171 controls, IR plan, auto-generated SSP CUI section, SPRS estimator, professional export
— Auto-saves. No account. Token access only.
November 10, 2026. 153 days.
nextgenrails.net
#CMMC #SBOM #CUI #NIST #DoD #SupplyChainSecurity #DevSecOps #CyberSecurity #DFARS #EO14028 #InfoSec @Ransom_DB
18
Jun 9
A thread on what CUI actually is and why most defense contractors are getting it wrong.
🧵
1/ CUI = Controlled Unclassified Information.
Not classified. But if you handle it under a DoD contract, you are legally required to protect it under DFARS 252.204-7012 and NIST SP 800-171.
CMMC Level 2 enforcement starts November 10, 2026.
2/ The #1 mistake: over-scoping.
Contractors mark everything CUI — HR records, marketing materials, internal pricing — because it "feels sensitive."
Wrong. Sensitivity is not the test. A specific legal authority in the NARA CUI Registry is the test.
Over-scoping means paying for controls you don't need.
3/ The #2 mistake: under-scoping.
Contractors miss CUI entirely — especially ITAR-controlled technical data and procurement information — because nobody told them what to look for.
Under-scoping means failing your CMMC assessment.
4/ The right framework is COPR.
All 4 conditions must be met for data to qualify as CUI:
C — Created by or for the government
O — Owned by a federal agency
P — Possessed on behalf of the government
R — Regulated by a specific authority in cui.gov
If ANY answer is NO — it is not CUI. Document it and move on.
5/ I built cuistandard.com to run this framework for you.
Answer 8 questions about your organization.
Get your exact CUI categories, markings, and documented determinations.
Free preview. No account.
$29/month unlocks:
— Saved workspace
— All 110 NIST 800-171 controls checklist
— System boundary worksheet
— CUI inventory builder
— Incident response planner
— SSP CUI section generator
— Live countdown to November 10, 2026
— Exportable assessor-ready document
cuistandard.com
#CMMC #CUI #NIST #DoD #DFARS #SupplyChainSecurity #DevSecOps #CyberSecurity #InfoSec #EO14028 #AppSec
46
Jun 8
XZ Utils. Codecov. SolarWinds.
Every major supply chain attack follows the same question after:
"What were your components at the time of the incident?"
If your answer is a spreadsheet, you don't have an answer.
cbomcompliance.com issues a cryptographically signed receipt at capture time. Timestamped. Verifiable. Permanent.
cbomcompliance.com
#SBOM #SupplyChainSecurity
29
Jun 7
5 months until CMMC Level 2 enforcement.
Your auditor won't ask if you have an SBOM.
They'll ask if you can prove it.
cbomcompliance.com gives you a cryptographically signed receipt — not a report, not a claim. Proof.
cbomcompliance.com
#CMMC #SBOM
22
Jun 5
Your SBOM scanner gives you a report.
A report is a claim.
A claim requires trust.
Auditors don't trust. They verify.
cbomcompliance.com gives you a signed receipt — cryptographically verifiable by anyone, no account needed.
Trust is not declared. It is computed.
cbomcompliance.com
#CMMC #SBOM
22
Jun 5
In 158 days, defense contractors without documented SBOM controls face CMMC Level 2 enforcement.
Most are still running scans and filing reports. Reports are claims. Auditors want proof.
cbomcompliance.com issues a cryptographically signed receipt for every SBOM — independently verifiable, no third party needed.
A document is a claim. A receipt is proof.
#CMMC #SBOM
10
Jun 4
Prechained.com just got a major upgrade.
For anyone who doesn't know what Prechained is:
It's a free, open-source cryptographic archive of the software supply chain. Every package version we capture gets SHA-384 fingerprinted and permanently archived to GitHub — before any attack is disclosed, before any takedown, before any security researcher publishes a finding.
The receipt already exists. That's the point.
What's new:
→ Real-time npm monitoring. New packages published to npm are monitored in real time, Not a curated list — the entire feed.
→ Live Threat Feed. Automatic detection of fingerprint mutations, new install hooks, publisher changes, and size spikes. Every finding links to verifiable before/after receipts.
→ Incident Registry. Community-submitted and auto-detected incidents in one place. Submit a package. Get a cryptographic receipt.
→ 8 ecosystems. npm, PyPI, Cargo, RubyGems, NuGet, Maven, Packagist, GitHub.
Free. No login. No account. AGPL-3.0.
prechained.com
#SupplyChainSecurity #npm #CyberSecurity #infosec #SoftwareSupplyChain #OpenSource #SBOM #DevSecOps #PackageSecurity #CyberThreats #CMMC #OSS
cc @OpenSSF @socketdotdev @SwiftOnSecurity @Ransom_DB
1
2
415
Jun 4
The regulations are here. The deadlines are real.
DORA — in effect now. 160,000 entities.
CMMC 2.0 — 300,000 defense contractors. November 2026.
EU Cyber Resilience Act — every digital product sold in the EU.
SEC cybersecurity rules — material incidents disclosed in 4 days.
Built five tools to help you prove compliance — not just claim it:
→ prechained.com — cryptographic archive of the entire software supply chain. Every package. Every version. Before the attack happens. Free.
→ cbomcompliance.com — turn your SBOM into independently verifiable evidence. A document is a claim. A signed receipt is proof.
→ statutoryregistry.com — cryptographic notarization for regulatory filings, legal instruments, and compliance attestations. Zero retention. Independent verification.
→ cuistandard.com — CMMC Level 2 CUI scoping documentation in 20 minutes. Assessor-ready. $299.
→ 20022validator.com — cryptographic receipts for ISO 20022 financial messages. Built for DORA.
All built on the same principle: trust is not declared. It is computed.
nextgenrails.net
#CMMC #CyberSecurity #SupplyChainSecurity #DORA #NIS2 #SBOM #CyberResilience #DefenseContracting #ISO20022 #InfoSec #ComplianceTech #CUI #CMMC2 #SoftwareSupplyChain #ZeroTrust
1
22