The National Institute of Standards and Technology has defined "critical software" in accordance with an executive order to institute procurement standards federal agencies must follow.
Some of the country’s biggest tech companies and a key lawmaker disagree on some major points of how the National Telecommunications and Information Administration should define minimum elements of a software bill of materials, or SBOM, which will be required for certain software used by the government.
A May 12 executive order called for new standards to guide agency software purchases including a definition of “critical software”—which the National Institute of Standards and Technology published Friday—and the disclosure of SBOMS so agencies know more about the quality of software they’re purchasing. The order came in response to a string of high-profile security breaches including one where IT management firm SolarWinds unwittingly distributed a trojanized update to tens of thousands of its customers, including government agencies.
As required by the order, NIST’s definition of critical software is focused heavily on software that has elevated privileges or controls access to an organization’s computing resources along with related direct software dependencies. NIST explains that by “dependencies,” it means software components such as libraries. That’s where the NTIA comes in. The order tasks the Commerce agency with deciding basic things about what an SBOM should include and how it should be delivered.
But while an NTIA multistakeholder process has been ongoing toward this end since 2018, participants disagreed with the agency’s proposal. Industry representatives such as the U.S. Chamber of Commerce and the Information Technology Industry Council submitted comments asking for flexibility, especially on how deep an SBOM should be required to go in describing its transitive dependencies.
We “urge NTIA to consider our inputs related to depth, the limitations of SBOM due to versioning and software identification issues, the importance of context when it comes to vulnerability information, and the level of effort and resourcing that will be necessary for companies to prepare SBOMs,” ITI wrote.
In contrast, Rep. Jim Langevin, D-R.I., chairman of the House Armed Services cybersecurity subcommittee and a member of the Cyberspace Solarium Commission, asked NTIA to refrain from such considerations, suggesting a reluctance to invest in software security is responsible for the government’s cybersecurity posture.
“I encourage NTIA to avoid projecting how its standards may affect Federal contracting,” Langevin wrote. “The Federal Government’s purchasing power is immense, and NTIA should not limit the ability of procurement officers to strike the best possible deal for Federal customers. Increased software transparency may, indeed, impose costs on software developers wishing to sell to the Federal Government by forcing them to alter terms of existing license arrangements. However, I firmly believe that our unwillingness to pay for security is one of the reasons we continue to face the volume of cyber threats that we do.”
Langevin also pushed for SBOMs to be more publicly available whereas industry commenters expressed intellectual-property concerns they associate with SBOMs.
“I hope NTIA will place an emphasis on making SBoM available online whenever possible,” Langevin said. “In addition to making auditing more automatable, posting SBoMs online also has the potential to help the broader ecosystem of software users, not just Federal government customers.”
The executive order gave NTIA 60 days to publish its minimum SBOM elements.