Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Regulation, Standards and Compliance
SBOM

CISA announces 2023 CISA SBOM-a-Rama June event to build on existing community-led work

May 22, 2023
CISA announces 2023 CISA SBOM-a-Rama June event to build on existing community-led work

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will facilitate the 2023 CISA SBOM-a-Rama public event to build on existing community-led work around the Software Bill of Materials (SBOM) on specific topics. The security agency has facilitated the 2023 CISA SBOM-a-Rama event to support a community effort to advance SBOM technologies, processes, and practices.

The 2023 CISA SBOM-a-Rama event is scheduled for Wednesday, Jun. 14, 2023, from 12:00 p.m. to 6:00 p.m., EST (Eastern Standard Time), or 9:00 a.m. to 3:00 p.m, PST (Pacific Standard Time), according to a Federal Register notice published Monday. “Attendees are invited to ask questions, share comments, and raise further issues that need attention. Specific presentations will be made on the community-led efforts around sharing SBOMs, cloud and online applications, tools and implementation, the Vulnerability Exploitability eXchange (VEX) model, and SBOM on-ramps and adoption. The event will also feature presentations and discussion on sectors’ and governments’ efforts around the world,” it added. 

The CISA SBOM-a-Rama meeting will help the broader software and security community understand the current state of SBOM and what efforts have been made by different parts of the SBOM community, including CISA-facilitated community-led work and other activities from sectors and governments.

The event is open to anyone. CISA welcomes participation from anyone interested in learning about the current state of SBOM practice and implementation, including private sector practitioners, policy experts, academics, and representatives from non-U.S. organizations, Eric Goldstein, executive assistant director for cybersecurity at CISA, Department of Homeland Security, wrote in the Federal Register notice. A full agenda of the 2023 CISA SBOM-a-Rama event will be posted in advance of the meeting at https://cisa.gov/​SBOM, and a form to allow individuals to register their interest in either in-person or virtual participation will be available at the same link.

The notice added that “recognizing the importance of SBOMs in transparency and security, and that SBOM evolution and refinement would be most effective coming from the community, the Cybersecurity and Infrastructure Security Agency (CISA) is facilitating a public event around SBOM, which is intended to advance the software and security communities’ understanding of SBOM creation, use, and implementation across the broader technology ecosystem.”

An SBOM has been identified by the cybersecurity community as a key aspect of modern cybersecurity, including software security and supply chain security, the notice said. “Executive Order 14028 declares that ‘the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.’ SBOMs play a key role in providing this transparency,” it added.

U.S. President Joe Biden’s May 2021 E.O. 14028 defines SBOM as “a formal record containing the details and supply chain relationships of various components used in building software.” The E.O. further notes that “[s]oftware developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product.” Transparency from SBOMs aids multiple parties across the software lifecycle, including software developers, purchasers, and operators.

The concept of SBOMs is not novel, as it has been discussed and explored in the software industry for many years, building on industrial and supply chain innovations, the notice said. “SBOM generation and sharing across the software supply chain was not seen as a commonly accepted practice in modern software. In 2018, the National Telecommunications and Information Administration (NTIA) convened the first ‘multi-stakeholder process’ to promot[e] software component transparency.” 

Over the subsequent three years, the stakeholder community developed guidance to help foster the idea of SBOM, including high-level overviews, initial advice on implementation, and technical resources.  When the NTIA-initiated multistakeholder process concluded, NTIA noted that ‘what was an obscure idea became a key part of the global agenda around securing software supply chains.’

Last July, the CISA facilitated eight public listening sessions around four open topics (two for each topic), including cloud and online applications, sharing and exchanging SBOMs, tooling and implementation, and on-ramps and adoption. These public listening sessions resulted in the formation of four public, community-led workstreams around each of the four topics. The groups have been convening on a weekly basis since August.

The CISA called last month for public comment on a self-attestation form to be used by software producers. After obtaining and considering public comment, the security agency will prepare the submission requesting clearance of this collection as a Common Form to permit other agencies beyond DHS to use this form in order to streamline the information collection process in coordination with OMB. Comments are encouraged and will be accepted until June 26.

Along with global cybersecurity agencies, the CISA is also pushing for software manufacturers to take necessary steps to ship products that are secure-by-design and secure-by-default, thereby shifting the balance of cybersecurity risk and revamping their design and development programs. These approaches to product security will help move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Related

Russian APT28 hackers exploit Outlook flaw to target Czech, German, Polish organizations
Russian APT28 hackers exploit Outlook flaw to target Czech, German, Polish organizations
North Korean hackers exploiting weak DMARC security policies to mask spearphishing efforts
North Korean hackers exploiting weak DMARC security policies to mask spearphishing efforts
Growing threat of malware and ransomware attacks continues to put industrial environments at risk
Growing threat of malware and ransomware attacks continues to put industrial environments at risk
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
Sygnia
Sygnia aligns with NVIDIA, revolutionizes OT security for energy and industrial sectors
Armexa adds John Cusimano as vice president to its leadership team
Armexa, ISA partner to offer standards-based OT cybersecurity training
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Insane Cyber
Insane Cyber closes $4.2 million funding round to safeguard critical infrastructure installations