Agencies will soon be required to ask vendors for a software bill of materials—or SBOM—to help manage vulnerabilities like those found in the Log4J library, but much of its contents could still be open to negotiation.
For Season 12 of the podcast, Nextgov checked in on the subjects of some of our most popular episodes to provide a—wait for it—Critical Update. And the push to shine a light down software manufacturers’ supply chains got a significant boost since we last talked to the government and industry parties involved.
Most software is compiled using numerous, often open source, libraries of code associated with varying levels of security vulnerabilities. A software bill of materials, or SBOM, would ideally function like an ingredients list does for food packages. SBOM proponents believe if consumers knew what was in the software being sold to them, they could be more discriminating in consideration of security.
In May, 2021, when our last episode on the issue aired, President Joe Biden had just issued Executive Order 14028, ultimately requiring software vendors to deliver an SBOM along with any offering they make to federal agencies. And he tasked the National Telecommunications and Information Administration with describing “the minimum elements of a software bill of materials.”
Then, following government-wide remediation efforts at the end of the year addressing critical flaws in the commonly used Log4J software library, officials from the White House and the Cybersecurity and Infrastructure Security Agency emphasized the importance of SBOMs for agencies’ vulnerability management.
The NTIA document, published July 12, lists certain SBOM must-haves, such as data fields which, if left blank, could speak volumes about a vendor’s security processes, proponents say. But it also leaves a lot up in the air to be worked out by procurement officials.
This little recap of the issue also includes updates on the executive order’s implementation directly from the official who led the multi-year, multistakeholder process driving the SBOM initiative: CISA Senior Advisor and Strategist Allan Friedman.
You can listen to the full episode below or download and subscribe to Critical Update in Apple Podcasts or Google Play.