The development of Software Bills of Materials is getting more attention as government and industry try to work through ways to prevent the next software supply chain hack following SolarWinds, which could drive more interest in a Commerce Department initiative that is expanding to show its utility to the larger software community.
The National Telecommunications and Information Administration’s software transparency initiative has brought together supply chain stakeholders over the past two years, working toward an understanding on the potential of SBOMs and obstacles to wider adoption. NTIA released a new paper Tuesday outlining work from its SBOM framing working group on the challenges of “identifying software components with sufficient discoverability and uniqueness.”
NTIA’s Allan Friedman spoke with Inside Cybersecurity about how the SBOM initiative has developed over time and new opportunities for growth.
Friedman said there has been more interest in NTIA’s software work “over the past three to four months,” but declined to get into specifics about cyber incidents or how NTIA is providing input into upcoming White House executive actions in bolster the government’s software supply chain.
“We have been at this for over two years and interest has continually snowballed,” Friedman said. “Certainly since December more people are paying attention to software supply chain, and SBOM is one of the more notable novel efforts to really help us amplify our powers in the software supply chain.”
Friedman said an attack is “not just about managing components” of software, emphasizing how the “security of those components and the security of the systems that track those components” is just as critical.
“We need to track the components, that’s the core of SBOM, in a way that is scalable and interoperable. But if you just track those components without a fully secure process the attacker could just compromise the tools and process that you have,” Friedman said.
Developing and creating SBOMs is still a work in process, but the NTIA initiative has come a long way in trying to address some of the obstacles. For the past two years, SBOM stakeholders have worked on a proof of concept bringing together hospitals, device manufacturers and security vendors to test out the SBOM concept on medical devices.
NTIA is working with partners at the Energy Department and its National Labs to develop a new proof of concept for the energy industry. NTIA convened two meetings this year to educate potential energy sector participants on the SBOM concept and has a third meeting scheduled for April 12.
The SBOM initiative is also hosting its first “plugfest” on April 9 with the goal of aligning three commonly used SBOM formats—SPDX, CycloneDX and SWID—around baseline fields, which Friedman said will test out a concept discussed in white papers produced through the multistakeholder process.
The plugfest will also test out “interoperability and uniformity” between existing standards and to work toward creating a “set of reference SBOMs” using “simple pieces of code.”
Friedman said the plan is to “start with very simple pieces of code because we want to be prepared if our assumptions are not true that we can identify it and diagnose it.” Depending on the success of the event, Friedman said he hopes that there will “more ambitious plugfests with more sophisticated use cases” in the future. –- Sara Friedman (sfriedman@iwpnews.com)