Following President Biden’s executive order on improving the nation’s cybersecurity after a host of cybersecurity attacks, the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), must publish the minimum elements for a Software Bill of Materials (SBOM).
The NTIA also proposed a definition of the ‘minimum elements’ of an SBOM that builds on three broad, inter-related areas – data fields, operational considerations, and support for automation. Focusing on these three elements will enable an evolving approach to software transparency, and serve to ensure that subsequent efforts will incorporate more detail or technical advances, the agency said.
Last month’s Executive Order defined an SBOM as “a formal record containing the details and supply chain relationships of various components used in building software.” Software developers and vendors often create products by assembling existing open source and commercial software components.
“Through this Notice, following from the Executive Order, NTIA is requesting comments on the minimum elements for an SBOM, and what other factors should be considered in the request, production, distribution, and consumption of SBOMs,” according to a document published on the Federal Register. The goal of the ‘Request for Comments’ is to seek input and feedback on NTIA’s approach to developing and publishing the minimum elements of an SBOM.
The NTIA is an executive branch agency that is principally responsible for advising the U.S. President on telecommunications and information policy issues.
NTIA is committed to being open to further additions, corrections, deletions, or other changes, particularly when suggestions are well supported with documents, operational evidence, and support from broad-based constituencies in the software ecosystem. The agency has played a leadership role in advocating for SBOM, convening experts from across the software world and leading discussions around the ideas of software supply chain transparency.
The executive order has called upon the Secretary of Commerce, in coordination with the assistant secretary for Communications and Information, and the administrator of the NTIA to publish within 60 days minimum elements for an SBOM.
“By providing a forum for SBOM discussions, NTIA has helped the community identify common themes, coalesce around standards, and emphasize interoperability. These discussions have led to the documentation of existing tools, products, and projects, and have helped drive further experimentation and implementation,” according to the NTIA document.
“With an emphasis on the practice of SBOM generation and use, NTIA has sought to facilitate “proof-of-concept” exercises in specific communities and sectors. NTIA has also worked across the federal government to share ideas about SBOM, seek feedback and engagement from experts in the civilian and national security community, and expand general awareness of SBOM,” it added.
The SBOM enumerates these components in a product, and is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software, the EO said. Developers often use available open-source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.
Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product, according to Biden’s EO. Those who operate software can use SBOMs to determine whether they are at potential risk of a newly discovered vulnerability. SBOMs gain greater value when collectively stored in a repository that can be queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk, it added.
U.S. security agencies have been aware that government, critical infrastructure including Defense Industrial Base, and allied networks are consistently scanned, targeted, and exploited by Russian state-sponsored cyber actors, and in April formally attributed the SolarWinds supply chain compromise and related cyber-espionage campaign to these hackers.
The U.S. intelligence agencies alleged ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities and encouraged cybersecurity stakeholders to check their networks for indicators of compromise related to five vulnerabilities, and the techniques detailed in the advisory, and to urgently implement associated mitigations. The agencies also recognize all partners in the private and public sectors for their comprehensive and collaborative efforts to respond to recent Russian activity in cyberspace.
The U.S. President’s budget, released last Friday, expended funds to bolster the nation’s cybersecurity. “In addition, to support agencies as they modernize, strengthen, and secure antiquated information systems and bolster Federal cybersecurity, the Budget provides US$500 million for the Technology Modernization Fund, an additional $110 million for the Cybersecurity and Infrastructure Security Agency, and $750 million in additional investments tailored to respond to lessons learned from the SolarWinds incident,” according to the Budget.
NTIA invites comments on various issues and invites public comments, including remarks that contain references to studies, research, and other empirical data that are not widely available. Comments submitted by email should be machine-readable and should not be copy-protected.
“Responders should include the name of the person or organization filing the comment, which will facilitate agency follow-up for clarifications as necessary, as well as a page number on each page of their submissions. All comments received are a part of the public record and will be posted on regulations.gov and the NTIA website, https://www.ntia.gov/, without change,” it added.