The Apache Log4j vulnerability brought to light a challenge for software providers that had been seldom seen. The vulnerability highlighted the critical importance of a secure software supply chain and understanding all the components that go into an application.

Efforts to improve the software supply chain are ongoing, with industry and federal agencies working together. President Biden’s Executive Order 14028 highlights the criticality of software supply chain and calls for broader use of software bill of materials (SBOM). Federal guidance around SBOMs is being developed, with the National Telecommunications and Information Administration (NTIA) and Cybersecurity and Infrastructure Security Agency (CISA) completing listening sessions and standing up working groups. The White House Office of Management and Budget (OMB) also recently released guidance on software supply chain with OMB-M-22-18,“Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.” The memo directs the National Institute of Standards and Technology (NIST) to issue guidance “identifying practices that enhance the security of the software supply chain.” NIST’s Secure Software Development Framework (SSDF), SP 800-218, and the Software Supply Chain Security Guidance include practices that create the foundation for developing secure software. M-22-18 requires agencies to comply with the NIST Guidance and any subsequent updates.

The OMB memorandum requires agencies to obtain self-attestation to secure software development practices from a provider before using the software. Additionally, agencies may obtain other artifacts from vendors that demonstrate conformance to secure software development practices such as SBOMs.

The U.S. House of Representatives National Defense Authorization Act (NDAA) Section 6722, “DHS Software Supply Chain Risk Management” would require holders of existing covered contracts and those responding to requests for proposal (RFP) from the U.S. Department of Homeland Security (DHS) to provide an SBOM and certify the items in the SBOM are free of vulnerabilities or defects and identify a plan to mitigate any identified vulnerabilities.  

Improving software supply chain security is critical to ensuring the security of federal IT systems, and a risk management approach to mitigating vulnerabilities may include the use of SBOMs. However, the language in the House NDAA does not account for current administration efforts regarding SBOM, or the readiness of software suppliers and consumers, including government customers, to fully leverage SBOMs.

SBOMs have the potential to be an important part of an organization’s risk management program, however they are not a cure all and additional work needs to be done to make them a valuable tool for software producers and consumers. Specific steps that should be taken include:

  • Establishment of pilot programs involving software suppliers and agencies to demonstrate the effectiveness of SBOMs in improving vulnerability management     practices, based on risk metrics.
  • Adoption of common standards for sharing, processing, and implementation of SBOMs and associated infrastructure to reduce potential confusion and     inconsistency in outcomes.
  • Development of pilot programs to better refine how SBOMs can and should be used in cloud environments. 

If the current language in the House NDAA becomes law, SBOMs will be rushed to market and they will not have the desired utility for agencies for several reasons, including the lack of standardization. DHS’s recent Cyber Safety Review Board publication of the December 2021 Log4j event notes that SBOMs are currently limited, with differences in field descriptions and lack of version information as two of the cited challenges. This highlights the need for additional work to include guidance on the structure and construction of an SBOM and standardization of the processes for SBOM dissemination, ingestion, and use. Each of these is critical for software developers to create usable SBOMs and for government and other buyers to make effective use of the output.

Because of the concerns with the NDAA House language, the Cybersecurity Coalition and other industry groups sent a letter to Congress requesting that legislators remove the SBOM language from the NDAA and give industry and agencies more time to implement solutions that will better secure the country’s software supply chain.

There is a lot of excellent work being done between the administration and industry with respect to the security of software supply chains. Any legislation trying to tackle these issues should build on the work underway and ensure alignment across federal  defense and civilian agencies while taking into consideration industry feedback on the viability of programs that include SBOMs. The latest OMB memorandum gives software vendors more time to comply and create artifacts that will be useful to agencies instead of rushing the process. This will lead to better outcomes for everyone involved.

 

Grant Schneider

Read Next

The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments

The U.S. issued an updated position seeking to move forward the UN Convention Against Cybercrime, a treaty intended to improve the global community’s ability to combat evolving cybercrime threats.

The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)

In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.

Counter Ransomware Initiative Adds Private Sector Members

Earlier this month, more than 68 countries and organization members met for the fourth annual International Counter Ransomware Initiative (CRI), which included the addition of a public-private advisory panel.