CISA Requests Feedback on Exact Moments of Future Software Transparency Requirements

For five days in July, the Cybersecurity and Infrastructure Security Agency will hold a series of auditions to raise the profile of the federal enterprise – the basic principle of the order to improve the country’s cybersecurity – through the use of a program list of materials, or SBOM.

“EO 14028 defines SBOM as a“ formal record that contains the details and relationships in the supply chains of the various components used in the creation of software, ”explained CISA. the message was published in the Federal Register on Wednesday. “EO further notes that”[s]Software developers and vendors often create products by assembling existing open source software components and commercial components. SBOM lists these components in the product. ”

As noted by Fr. background material prepared by the House Science Committee before a a recent hearing on the matter, “Modern software products depend on a huge number of components from different developers, code repositories and other sources. Software component vendors also use different naming schemes for the same components. As a result, identifying which vulnerabilities threaten which products can be a challenging technical task. SBOM can solve this problem by creating a machine-readable list that will allow software developers and users to track software components and dependencies and make responding to vulnerabilities in the event of an incident easier. ”

“However,” the committee wrote, “as the Subcommittee on Investigation and Supervision heard during a supply chain security hearing in May 2021,” questions remain about the effectiveness of SBOM, as well as about the ability of organizations to accept them ”.

According to Order 14028, Potential suppliers should provide agencies with minimum SBOM elementsthe use of which is part of a larger collection of practices, including the use of multi-factor authentication and similar security measures in the development environment, the administration wants the agency to to consider when purchasing software.

The statement said the agency “will not request specific results from meeting participants, and currently CISA does not intend to use the information shared during the auditions to directly address or inform any decision on federal policy.”

Federal Chief Information Security Officer Chris Derusha recently told Nextgov The Office of Management and Budget, the National Institute of Standards and Technology, and CISA have already submitted their recommendations to the Federal Procurement Regulatory Board under software procurement laws, according to the order.

CISA said it was holding sessions “recognizing the importance of SBOM for transparency and security, and that the development and improvement of SBOM must come from the community to maximize efficiency.” They are “designed to improve the community’s understanding of software and the security of the creation, use and implementation of SBOM across the wider technology ecosystem.”

The agency welcomes additional ideas, but is particularly interested to hear about four topics: cloud and online applications, SBOM sharing and sharing, tools and implementation, and enhancement and adoption.

As for the first of these, CISA said that “much of the existing discussion around SBOM, especially around SBOM use cases, has focused on internal software. Cloud and software as a service (SaaS) includes a large and growing segment of the software ecosystem. Potential sub-topics may include: How should the community think about SBOM in the context of online applications and modern infrastructure? How can the community integrate SBOM’s work into new cloud-based capabilities? ”

Other topics will encourage discussion to manage SBOM’s most effective standardization in federal procurement. Listening sessions will be conducted virtually, with connection information and telephone access SBOM CISA page.

Source link