Automating the Software Bill of Materials: A Federal Government Initiative

Executive Order 14028, titled “Improving the Nation’s Cybersecurity,” was released by the Biden administration and included suggestions for enhancing the security of the nation’s software supply chain. 

As a result, fundamental building blocks are being built to strengthen software Supply Chain Risk Management (SCRM) programmes throughout the sbom federal requirement of government and to boost software security. 

One of those basic building blocks is the upcoming need for a software bill of materials (SBOM) in government acquisitions.

What is an SBOM, exactly?

A formal listing of layered software components that details their relationships is known as an SBOM. 

The creation of software often makes use of both open source and proprietary software components. All of a product’s hierarchical components are listed in the SBOM.

It is similar to buying groceries at a big-box store. To better understand what they are eating and the risks associated with it, a consumer will want to know if their dish contains soy, gluten, nuts, or other component components. 

An organization will want to know if a nested component could have a recently found vulnerability or whether a component manufacturer is known to have insufficient vulnerability management programmes in order to evaluate and reduce risk (e.g. Vendors slow to release patches to exploitable vulnerabilities).

What is the position of the government on SBOM?

The Executive Order is a call to action that establishes a deadline to ensure that Government buyers may use an SBOM to conduct vulnerability or license analysis, evaluate product risk, and determine if they are at risk of a newly found vulnerability more quickly and effectively. 

It was mandated that the National Institute of Standards and Technology (NIST) provide guidelines on methods to enhance software supply chain security, such as giving a buyer an SBOM. 

The task of disseminating the bare minimum SBOM components fell to the National Telecommunications and Information Administration (NTIA).

Automating sboms: Attempts

The SBOM initiative of the federal government consists of two crucial parts: a sector-wide consistent policy and a focus on automation to quicken responses to vulnerabilities found in component data sets.

Modern software is not the result of a single-source, monolithic development effort. Transitive dependencies between software components might impact a component’s runtime, performance, or security profile. 

Assessing components for transitive links becomes increasingly crucial in determining a product’s overall risk profile as government ecosystems become more modular.

Over the last 10 years, collaboration on the exchange of SBOM information has also produced two widely used standards, OWASP cyclonedx and Software Package Data Exchange (SPDX). 

A simple “Bill of Materials (BOM) standard designed for use in application security scenarios and supply chain component analysis” is the OWASP cyclonedx standard. 

An “open standard for communicating software bill of material information, including provenance, licensure, security, and other related data,” is what SPDX is described as. 

These SBOM communication standards reduce labor duplication by providing a standardized framework for creating and using sboms.

The Vulnerability Exploitability exchange was created in 2018 as a consequence of a programme the NTIA started to promote Software Component Transparency (VEX). 

The main goal of VEX is to “give users (e.g., operators, developers, and service providers) with additional information on whether a product is impacted by a particular vulnerability in an included component and, if affected, if measures to repair are indicated,” according to the NTIA.

The federal government should concentrate on how automation improves worker efficiency while developing an operational strategy centered on SBOM. 

Most of the time, a labor must manually research the elements that make up a software product, any transitive linkages, and any exploitable flaws.

Multiple sboms are produced by a number of vendors

Various sboms will be submitted to government agencies by vendors, contractors, and internal software development teams. 

In order to make informed decisions based on risk acceptability and security criteria, they will require a technique for verifying, analyzing, storing, managing, and integrating multiple sboms.

For instance, a diabetic shopper at the grocery store is aware that buying a pint of ice cream can be appropriate provided it is consumed in amounts that are consistent with their total daily allocation. 

On the other hand, the purchase and consumption of cookies, cakes, and sweets may exceed the daily allowance of permitted sugar intake, which may be detrimental to their health.

Federal agencies need a similar understanding of the whole of their software and its dependencies in order to make informed decisions based on the data in different sboms.

Additionally, they seek more guidance on how sboms fit into the existing corporate procedures for acquisitions, risk management, asset management, and defensive cyber operations. 

Although OMB may provide recommendations, the private sector has the best expertise in using sboms. 

Therefore, to save costs while maximizing private sector expertise, federal agencies can take use of already-existing public-private partnerships centered on software supply chain assurance.

Comments are closed, but trackbacks and pingbacks are open.