Addressing supply chain issues will require flexibility and a clear recognition of what entities are hoping to achieve by adopting new processes, according to supply chain officials from CISA and NIST, who spoke Thursday about potential challenges in using a Software Bill of Materials and procurement mechanisms.
The Cybersecurity and Infrastructure Security Agency is undertaking four lines of effort on SBOM to help with scaling, operationalizing and creating interoperability, CISA senior advisor and strategist Allan Friedman said at a MITRE summit. Friedman started working on SBOM at the National Telecommunications and Information Administration and moved over to CISA last summer.
At NTIA, he led the creation of a report on minimum elements for an SBOM as required by the 2021 cyber executive order. Friedman said NTIA’s intent when crafting the report was that it will change over time as the technology evolves and pointed to “hashing” as an area where the agency did not believe there was “sufficient uniformity” around SBOM generation to include it in the initial report.
Friedman explained two paths for SBOM: one that leads toward wider adoption and another that could create potential stumbling blocks.
The first option is to keep SBOM as simple as possible, Friedman said. In the second case, he said there would be a modular model linking other types of data into an SBOM such as build tools and vulnerability data.
Friedman said, “The risk in this approach is we’ve all seen the world littered with really great standards ideas that no one ever touches because they were too complex and they were trying to cover too broad [an area]. SBOM’s power is that it can apply to the entire world of software which is giant,” ranging from a cloud container to medical devices to 5G and 6G radio access networks.
“Complexity delivers value,” Friedman said, but it can also be “the enemy of security and success.”
Friedman participated in a software supply chain security panel at a MITRE supply chain summit featuring Microsoft’s Brian Knight and Michael Worden of Raytheon Technologies. The session was followed by a panel discussion on supply chain policy with NIST’s Jon Boyens, Venable’s Ari Schwartz and Emile Monette of Synopsys.
Boyens provided an overview of changes in NIST Special Publication 800-161 Rev.1, the agency’s foundational guidance on supply chain cybersecurity risk management. The revised publication, updated in May, addresses what agencies need in order to conduct security assessments as required under the SECURE Technology Act of 2018.
The law also created the Federal Acquisition Security Council, which Boyens said was “first developed to harmonize supply chain risk management activities across the federal enterprise.” Boyens said that has been difficult to accomplish because of the wide range of federal systems spanning the civilian agencies, intelligence community and the Defense Department.
The FASC is tasked with developing processes to address risks and has the authority to recommend exclusion and removal orders for specific products. But Boyens said the FASC hasn’t used the authority because it isn’t easy to determine the risk. He offered tracking geolocation data as an example of an area that can be difficult to understand and use in practice.
At the agency level, Boyens said one of the barriers to implementing supply chain risk management is that it is an “unfunded mandate.” He added, agencies are “dealing with not only resource constraints but also an inadequate workforce.”
When asked about instituting mandates, Boyens said using procurement to drive security improvements is the “soft hammer” and the policy should be performance based. Things can also become more complicated because agencies have different risk tolerances and appetites, he said.
Instead of mandates, Venable’s Ari Schwartz said “nudges” would be helpful, including pilots, to test out specific ideas. The Cybersecurity Coalition in May published a position paper urging the government to conduct pilots to test out SBOMs before establishing procurement requirements for agencies.
The Cybersecurity Coalition is hosting an SBOM event on Sept. 7 to discuss SBOM use cases, potential risks and the readiness of government and industry to use SBOMs effectively. Schwartz leads the coalition. -- Sara Friedman (firstname.lastname@example.org)