NIST’s latest update to its flagship cybersecurity supply chain publication should be streamlined to address tasks in a May cyber executive order more cohesively, according to the Information Technology Industry Council.
ITI told NIST, “We believe the content included in Appendix F provides helpful insight into how the requirements from the May 2021 Executive Order on Improving the Nation’s Cybersecurity intersect with NIST SP 800-161. However, while it is useful to have all of the Executive Order’s directives in a single appendix, this leads to unnecessary duplication of content and further reduces cohesion.”
ITI submitted comments last week on the second draft of NIST 800-161 Rev. 1, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” The revised publication adds two appendices to address requirements in the EO and support agencies’ compliance with the Federal Acquisition Supply Chain Security Act, which requires agencies to perform supply chain risk assessments.
The tech association addresses guidance in the publication on Software Bill of Materials, saying it should refer back to NIST’s Secure Software Development Framework “rather than add new requirements.” ITI said, “Additionally, ITI encourages NIST to recognize the limitations of what SBOMs can and should be used for--for instance, SBOMs should not be used as a risk or quality assessment tool during the procurement process.”
ITI said, “Furthermore, in implementing these requirements, NIST must ensure that software providers have enough agility and responsiveness to deliver timely security and functional updates. Maybe well-maintained software components have update cycles that range from days to weeks, and it’s important that whatever set of SBOM requirements and tooling put in place can be incorporated into these rapid release cycles. We encourage NIST to balance these elements when providing guidance on the appropriate role and place for SBOMs.”
BSA-The Software Alliance also argued for “any consideration of software bills of materials (SBOMs)” to “be contained in the SSDF and incorporated into SP 800-161 by reference,” in comments to NIST.
“Further, NIST should explicitly recognize the limitations of SBOMs as an emerging technique to manage supply chain and cybersecurity risk,” BSA said. “An SBOM can provide useful information to a customer but, without additional context, can also be misleading and result in suboptimal action. For instance, an SBOM may identify a vulnerable component that cannot be exploited as used but may nonetheless lead an organization to compel a software developer to addresses that unexploitable vulnerability. Alternatively, even if an SBOM identifies a vulnerability that is exploitable, an SBOM may inappropriately prioritize the use of cybersecurity resources as there may be more effective ways to address the vulnerability or otherwise improve the security of the product or service.”
BSA noted that federal agency personnel will “likely understand an SBOM’s limitations.” However, the software association said, “other organizations, including those outside the US, look to NIST as a leading authority for cybersecurity risk management and without further clarification, these organizations may improperly rely on an SBOM.”
“Because SBOMs are an emerging tool, NIST should be explicit that they are intended to provide supplemental information and do not themselves provide sufficient information on which an organization can measure either the risk or quality of the software they describe, nor do they identify the most effective use of cybersecurity resources,” BSA said.
BSA weighs in on the EO more broadly saying, “NIST should strongly consider publishing a standalone EO Section 4 Road Map to detail all practices an organization must adopt to meet requirements under Section 4.”
CrowdStrike’s Drew Bagley told Inside Cybersecurity, “CrowdStrike has provided formal feedback related to all topics covered in May’s Executive Order on Improving the Nation’s Cybersecurity. As part of this effort, we submitted a comment on the first draft of the C-SCRM revision process in June 2021. The comment encouraged NIST and stakeholders to emphasize the use of threat hunting and emerging detection techniques as part of comprehensive supply chain risk management strategy.”
Bagley said, “Combined with more traditional audit and risk management-based approaches, these techniques can help organizations identify and quickly remediate threats that result from certain types of compromises or subversions. Software supply chain attacks are particularly thorny, so organizations must create opportunities to identify threat activity not just during initial exploitation attempts, but also as adversaries attempt to escalate privileges, move laterally, or perform other post-exploitation activities.” -- Sara Friedman (sfriedman@iwpnews.com)