Merge pull request #17 from n1ckl0sk0rtge/doc/cbom-attestation

CBOM  Attestation Guide

Author: stevespringett

CBOM/en/0x60-Attestations.md

@@ -1,3 +1,17 @@
 # Attestations
 
-TODO
+CycloneDX Attestations is a modern standard for security compliance. CycloneDX Attestations enable organizations with a machine-readable format for communication about security standards, claims and evidence about security requirements, and attestations to the veracity and completeness of those claims. You can think of Attestations as a way to manage "compliance as code."
+
+## Cryptography Standards
+
+Organizations can declare the cryptography standards they follow, such as NIST or FIPS, in a CycloneDX Attestation. This helps ensure that all parties involved in the software development and deployment process are aware of the required cryptography standards.
+
+By providing evidence such as test results, code reviews or other documents that prove that their software meets the cryptography requirements, they enable automatic verification of compliance with the requirements. For example, it can be verified that only approved cryptography algorithms are used and implemented correctly.
+
+CycloneDX Attestations can also be used to manage compliance with cryptography requirements over time. As new vulnerabilities are discovered or standards change, organizations can update their applications, and therefore their attestations, to reflect the changes and ensure ongoing compliance.
+
+> TODO: Example with Fips certifiaction, with requirement, claim and evidence.
+
+## Signing
+
+CycloneDX supports signing to ensure the authenticity and integrity of the attestations.