LAS VEGAS. Draft documents are coming in weeks from a Commerce Department-led “software bill of materials” initiative, according to project leader Allan Friedman, who says this “why and how” stage should move quickly into a “turn-key” phase of raising awareness and actually putting the SBOM concept into practice.
The public-private initiative’s four working groups will discuss “baseline” SBOM drafts at a Sept. 5 meeting in Washington, DC, an important milestone, Friedman noted in a presentation Wednesday at the Black Hat conference here.
The stakeholders involved in the project over the past year have managed to define the scope of the problem and agreed to focus on specific goals, while identifying existing related efforts across government and the private sector, Friedman said.
Allan Friedman, NTIA Director of Cybersecurity Initiatives
Now, to “make real progress,” he said stakeholders should turn to “extending the model,” developing and collecting “tooling,” and getting into awareness and adoption campaigns.
Raising awareness will be critical for advancing a concept that is so readily accepted in other domains, he said. For instance, containers of chemicals include descriptions of potential harms if they are spilled, Friedman said, while “a 1-ton generator comes with a description of every screw and bolt. So why aren’t we doing this for software?”
Software supply chains are long and complex, which he acknowledged is a barrier to developing SBOMs. But “the fundamental reason we’re not doing it now,” Friedman asserted, “is because no one is asking for it.”
That’s changing, Friedman told the audience of technologists and others here, stressing that “SBOM is coming and it will be made better if you come along.”
Friedman is director of cyber initiatives at Commerce’s National Telecommunications and Information Administration, which is not a regulatory agency, as he frequently points out to stakeholder audiences. On the SBOM initiative, he stressed that he would “like to avoid this becoming a compliance issue for as long as possible, the government can come along with a stick later.”
But pressure is growing for something like an SBOM in the private sector, he said, with major financial institutions considering contract language specifying that 5 to 10 percent of a contract’s price will be knocked off if the vendor can’t list the ingredients in their software products. “If five big banks ask for this, everyone is going to do it,” Friedman said.
On the government side, supply-chain security concerns are driving cybersecurity activities across the Commerce and Homeland Security departments and on Capitol Hill, which could ratchet up pressure for transparency on what goes into the software running critical functions. Within Commerce, the SBOM work is already feeding into the department’s efforts on supply-chain security as well as on issues like combating botnets, Friedman explained.
He said the initiative’s “first range of documents are on the how and why” of SBOM, “but then the next step needs to be turn-key … what does awareness and adoption look like? It shouldn’t be regulatory so let’s find a strategy. We should identify areas of promotion and identify champions in different communities.”
He emphasized that “the documents coming out of NTIA are written by the community” and that will play a key role in determining how they are presented at the end of this process. Private-sector entities should carry the agreed-upon elements of an SBOM out into the community and the government should have a strategy for highlighting and promoting the effort, he suggested.
Working group updates
Among the working groups, Friedman said, the “proof of concept group” – which is focused on medical devices -- has “generated data and produced use cases” but has found obstacles to automating the process. The largest device makers and health centers like the Mayo Clinic are collaborating in the process, Friedman said.
Friedman said the “standards and formats” group has “identified common elements” in the two major existing tools for component disclosure: Software Identification tagging, or SWID, a standard issued by the International Organization for Standardization, and Software Package Data Exchange, or SPDX, often used by the open-source community.
That working group is now “building out guidance to support both formats,” Friedman said. – Charlie Mitchell (firstname.lastname@example.org)