Commercial products bought without modification are largely exempt from government acquisition regulations, including the Defense Department’s emerging certification program.
The vast majority of commercial-off-the-shelf products examined in a new report contain at least one cybersecurity vulnerability at the highest severity ranking, something the report’s authors say should compel their customers—including the government—to employ software bills of materials.
“Enterprise organizations should demand the disclosure of open source components and vulnerabilities from software vendors when evaluating COTS applications to make more intelligent risk-based decisions,” Andy Meyer, chief marketing officer for GrammaTech, told Nextgov.
GrammaTech—an application security testing firm that generates SBOMs and would benefit from greater demand for them—published the report Wednesday in partnership with cybersecurity consultant Osterman Research. The report used data pulled from binary analyses of COTS products organized into five categories.
“Of the most popular browser, email, file sharing, online meeting and messaging products tested, 85% contained at least one critical vulnerability with a 10.0 [Common Vulnerability Scoring System] score—the highest possible,” GrammaTech said in a press release. “Meanwhile, 30% of all open-source components across all the applications tested, contained at least one vulnerability or security flaw that has been assigned a [Common Vulnerabilities and Exposures] identifier.”
President Joe Biden’s May 12 cybersecurity executive order calls for the development and use of a standard SBOM by government agencies, but COTS products are often excluded from federal acquisition regulations. Regulations to implement the Defense Department’s Cybersecurity Maturity Model Certification program do not apply to acquisitions solely for COTS, for example.
Comments submitted to the department on the CMMC regulation included some information and communications technology companies asking for assurance the new rules will not be enforced against them based on the COTS exclusion.
“CTIA urges the [Federal Acquisition Regulatory] Council not to take a narrow approach and instead to clarify that commercial wireless telecom and data services can be treated as COTS,” wrote the Cellular Telecommunication Industry Association, the leading trade group for the wireless industry.
A wholesale exclusion of COTS from the defense regulation doesn’t seem sensible to Leslie Weinstein, a CMMC consultant and former Defense Intelligence Agency and Cyber Command official.
“I'm sure like blank paper and some office supplies like maybe some of those contracts should be exempt,” Weinstein told Nextgov. “Yeah but cellphones most definitely should not be exempt because how many cellphones are going to who and the phone numbers and the components—like everything about that phone, nope super sensitive, right? And I'm an intelligence officer so I over-classify everything but you have to look at it from a red-team perspective, right? How can you exploit this information?”
The Defense Department is currently reviewing the CMMC program. A DOD spokesperson did not respond by deadline to a request for comment.
“If the government chooses to exclude COTS from having to obtain CMMC certifications as part of its acquisition policies, they will be incurring significant risk if they do not properly vet these applications prior to implementation,” GrammaTech’s Meyer said. “With increasing pressure on development teams to release software faster, more use of open source components will continue to increase and compound the problem highlighted in our report.”
An SBOM standard proposed by the National Telecommunications and Information Administration in line with the May executive order includes aspects like licensing and version information as well as a unique hash to act as a verifiable identifier. It does not require the disclosure of known vulnerabilities in software components.
“If software vendors deliver basic SBOMs that only include basic licensing and version information, they will be less useful for organizations consuming commercial off-the-shelf software [COTS] applications,” Meyer said.