Wider use of software bills of materials (SBOM) requirements represents a key building block in software security and software supply chain risk management that Federal agencies need to increasingly rely on going forward, an official from the Cybersecurity and Infrastructure Security Agency (CISA) said today.
Allan Friedman, a senior advisor and strategist for CISA, explained that software packages typically include an extensive number of third-party components, and that Federal agencies must actively watch and manage each one to preserve security and functionality.
“To that end, it’s critical for the Federal government to move towards frequent utilization of an SBOM to keep track of these components. This machine-readable list comprises the various dependencies and elements of a piece of software,” Friedman said at a virtual event hosted by GovExec and Veracode.
An SBOM also constitutes a formal record containing the details and supply chain relationships of various components used in building the software.
The drive for SBOMs has gained steam since May 2021, when the Biden administration released an executive order emphasizing SBOMs as a way of boosting the nation’s cybersecurity. Since then, the National Telecommunications and Information Administration (NTIA) has sought comment on what to include in SBOMs, and CISA leadership has called for SBOMs to aid in system visibility and inventory management following disclosure of the Log4J vulnerability earlier this year.
Friedman said today that SBOM implementation in the Federal space remains new and emerging. And while there is no reason organizations cannot use SBOM today, “we cannot assume universal full automation and integration,” he said.
Moving forward, Friedman listed three main goals in the government’s broader SBOM initiative:
- Make SBOM generation an expectation in the marketplace;
- Make SBOM generation easier and cheaper, at scale; and
- Enable efficient and effective SBOM data consumption.
Additionally, Friedman explained that CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. He also explained that “continued industry leadership is needed to guide SBOM investment, standards, and policy.”
Friedman acknowledged that transparency will not solve all security problems, but “without transparency, it will be very hard to solve any security problems.”