Inside Cybersecurity

June 22, 2024

Daily News

Software industry leader BSA raises cautionary notes on codifying use of SBOMs

By Charlie Mitchell / September 1, 2022

Policymakers should slow the “rush to codify” a requirement for vendors to produce a Software Bill of Materials, according to BSA-The Software Alliance, which says SBOMs can be a useful tool for improving supply chain cybersecurity but won’t provide “a silver bullet” and still need more work before they are mandated in contracts.

“Too many policymakers incorrectly assume that 1) SBOMs and supporting materials are ready for use, if policymakers incentivize a vendor to provide one; 2) organizations, including US Government agencies, are prepared to effectively use SBOMs they receive from vendors; and 3) an SBOM would solve a majority, if not all, of today’s cybersecurity challenges,” BSA policy director Henry Young said in a blog post on Wednesday.

“These three assumptions are creating a rush to codify the requirement for a vendor to deliver an SBOM in the United States — specifically, as proposed in Section 6722 of the [fiscal 2023 National Defense Authorization Act]. Yet such a requirement would undermine the considerable progress being made among the software industry, government, and other stakeholders to develop SBOMs and supporting materials that are effective,” Young said. The language is contained in the House-passed version of the NDAA; the Senate has yet to vote on its version.

In July, the inaugural report from the public-private Cyber Safety Review Board on the Log4j vulnerability determined more work is needed to make Software Bill of Materials useful for software supply chain incident response. Officials from CISA and NIST last week discussed their SBOM efforts at a MITRE event.

BSA’s Young flagged both the CSRB report and the “four workstreams” CISA is pursuing, remarking, “In short, experts agree that critical issues still need to be resolved before vendors can realistically be required to provide an SBOM to a customer.”

“At BSA, we support the development of SBOMs and, importantly, the associated tooling, standards, and automation … necessary to convert an SBOM into concrete cybersecurity improvements,” Young said, adding, “The cybersecurity community fully expects laws and policies requiring SBOMs in the future. However, the discourse on the current readiness and value of SBOMs has become disconnected from the realities of the complex and global software supply chain.”

Young said SBOMs “will not address most, let alone all, of the daily cyber risks an organization faces” and that “an SBOM will provide limited value in procurement decisions for multiple reasons, including that vendors will likely update SBOMs so frequently that the SBOM will be outdated by the time a procurement decision is made.”

He said, “What an SBOM will significantly improve, however, is an organization’s response to and recovery from a cyber incident, for example, by expediting an organization’s determination about whether it is using software with a known vulnerability and if that vulnerability is exploitable.”

BSA is calling on lawmakers to “remove Section 6722 of H.R. 7900, the FY23 NDAA, which would require a vendor to deliver an SBOM to a US Government agency as part of its contract. While well-intentioned, the section would fragment the ongoing implementation of the Executive Order on Improving the Nation’s Cybersecurity and threaten to get out ahead of the ongoing, collaborative efforts of the software industry, government, and other stakeholders to develop effective SBOMs,” Young wrote.

Further, he wrote, Congress should “consider refining the proposed Senate Amendment to the FY23 NDAA contained in Section 1627 Requirement for Software Bill of Materials. This amendment directs the Department of Defense, ‘in consultation with industry, [to] develop an approach for commercial software in use by the Department and future acquisitions of commercial software that provides, to the maximum extent practicable, policies and processes for operationalizing software bills of materials.’ Congress could improve this amendment by, among other things, refining the scope and definitions.” – Charlie Mitchell (cmitchell@iwpnews.com)