NTIA to Host Proof-of-Concept Summit in Software Transparency Effort

BEST-BACKGROUNDS/Shutterstock.com

More agencies are starting to ask suppliers for a software bill of materials in building a foundation for better, faster cybersecurity.

Over the last two years, the National Telecommunications and Information Administration has been working to popularize and standardize a way for software consumers to make more informed decisions—with security in mind—and is planning an event for stakeholders to compare notes on how to get to the goal.

“The working group reviewed plans for an upcoming proof-of-concept summit, where we can bring together folks from different sectors, energy, finance, telecommunications, national security to sort of say here's how we've done it, here are some of the other ways that you could think about doing it, and create a space for folks to really think about it,” said Allan Friedman, NTIA’s director of cybersecurity initiatives. “That's something that NTIA is going to be working with our stakeholders to plan over the next few months.” 

The transparency project is centered around what’s called a “software bill of materials,” which indicates where all the various code that goes into a product is derived. Friedman spoke with Nextgov about how it came about and where it might lead.

“This is not a new idea, it's been a standard part of manufacturing for decades,” Friedman said. But times are changing, and industry standards haven’t kept up with the use of opaque software sourcing.

“If I buy, say a giant generator for my facility, it will come with a list of all the parts so that I know what the total cost of ownership and maintenance is going to look like,” Friedman said. “If I buy that generator today, it's going to be connected to the internet, it's going to have a lot of software, and we don't have the same visibility that we still need from a maintenance, support, and, of course, security perspective.”

Software is typically built on top of groupings of code that are often open-source and picked up and compiled by developers without tracking the components. But vulnerabilities do pop up in these components and customers often do not know they need to patch their systems. If customers had access to an SBOM, they could know, not just whether that grouping exists in their software, but where it is within the rest of the software so they can quickly remediate it.

The idea behind the SBOM is not that the presence of a vulnerability should immediately disqualify a product, but that consumers should have the information they need to make the best decision for their use case.

“Most of the time if I buy a piece of candy in the store I don't care [about all the ingredients], but all of us know someone with a food allergy or dietary restriction and then they need that data to be available in an accessible format,” Friedman said using another analogy. “Similarly, knowing what pieces of software go into making a bigger, more useful piece of software, empowers that risk-based decision.”

The idea is that if customers ask for this information it will provide an incentive for software makers to do a better job of tracking components and avoiding counterfeit, outdated or otherwise sketchy sources of code in the rush to market their products. 

“I think one of the big failures was this lack of what we call a shared vision,” Friedman said. “No one was asking for it, so no one was supplying it, a traditional chicken and egg problem. That's why NTIA's approach to tackling that challenge was to bring the folks who make software and the folks who use software together to say what will be useful.”

NTIA’s multistakeholder group includes security researchers, major software manufacturers, and their customers. The makers of medical devices and major health care organizations—two groups where tensions have flared in the past over who should be liable for security breaches—are both participants, for example. And they’ve produced a proof of concept to show the utility of an SBOM in the healthcare sector.

SBOMs can be significantly different in the amount of information they disclose. A customer might ask a vendor to produce a full list of known vulnerabilities in the software, for example, so they can check it against a national database of such vulnerabilities. In setting a baseline that would encourage the greatest possible adoption, Friedman said it was important for the group to narrow its focus.

“We wanted to capture the entire supply chain, starting from the open-source community, going all the way down to middleware, commercial, embedded and then of course the enterprise customer of the software,” he said. “We're not trying to tackle the entire software supply chain challenge and we're not trying to tackle the entire software assurance challenge. We're just looking at the narrow space around making sure that folks know what dependencies are in their software.”  

One thing that everyone in the group agreed on was the need for whatever format the SBOM is delivered in to be machine readable so it can be folded into automated processes. 

“The community I think has done a great job of defining the basic set in a way that is flexible to build on all of the different things that are in the world today but still have some power to integrate into the tools, so we can take advantage of automation,” Friedman said.

A significant challenge for the NTIA working group will be to develop a translator tool to bridge the approach of different formats currently used to deliver SBOMs, as they may require the inclusion of different elements.

“Each has its own strengths and that's great, what we want to do is focus on the commonality, so that as people select the data format, based on its strengths or the tools that are available, it still follows the overall model and vision of SBOM and we can emphasize cross-compatibility and translatability,” he said.

Whatever form it takes, the SBOM idea is catching on with a number of government agencies and departments.

The Food and Drug Administration, which is responsible for the safety of medical devices, for example, calls for a “Cybersecurity Bill of Materials” in guidance for companies seeking the agency’s permission to market their products. The Department of Energy recently asked major utilities whether they use an SBOM to get visibility into their systems’ reliance on Chinese providers Huawei and ZTE. The Air Force’s Enterprise DevSecOps initiative requires submission of an SBOM for quick and continuous access to its collaborative environment. 

And SBOM will only become more important as U.S. officials push for telecommunication networks of the future to be open and software-defined.

“We think there's a natural fit between the emphasis on open interfaces in the future of 5G and software transparency,” Friedman said. “Because we're going to be building on more software, especially more open-source software, and the need to understand how different layers build on top of each other, and that's a very traditional supply chain story.”

As operators start to understand the risks that are built into next-generation telecom networks and start to think about the need to monitor for active supply-chain attacks, that again builds on transparency. Friedman noted that transparency alone won't identify whether there’s such attacks, but it can guide efforts and help figure out where greater monitoring and security research should be focused in core networks.

“And if there is a vulnerability or an attack discovered, it also helps you to understand how to remediate it and fix it because you know where it is in your own network,” he said.

Friedman said the NTIA working group is near consensus on producing comprehensive guidance for companies and organizations that want to create and use SBOMs. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.