I provide consulting services, and write blog posts, on topics including NERC CIP in the cloud, CIP-013 and supply chain cyber risk management, vulnerability management and developments in the CVE program, and the National Vulnerability Database (NVD). I lead the OWASP SBOM Forum, which discusses and advocates for issues involving the CVE program, the NVD, and software bills of materials.
I also provide advice to vendors of cloud-based services on complying with the current requirements for BES Cyber System Information (BCSI) in the cloud, as well as the current effort to amend the CIP standards to permit safe use of BES Cyber Systems in the cloud.
I write a widely-followed blog which focuses on all of the above topics: https://tomalrich.substack.com/. I'm the author of "Introduction to SBOM and VEX".