The Cybersecurity and Infrastructure Security Agency is supporting four industry-led lines of effort on Software Bill of Materials and plans to release guidance on how to track the SBOM lifecycle and minimum data requirements for vulnerability exchange management, according to CISA’s Allan Friedman.
Following a series of listening sessions, Friedman said CISA stood up four workstreams led by industry stakeholders focused on: cloud and online applications; on-ramps and adoption; sharing and exchanging; and tools and implementation. There is also ongoing work around “Vulnerability Exploitability eXchange (VEX).”
The lifecycle document will focus “different types of SBOMs and addresses different types of tools that are used at different points in a software lifecycle,” Friedman told Inside Cybersecurity. Those points could be creating an SBOM from a “software repository that is the source code of a product,” Friedman said, or building an SBOM at the time of creating the software.
Allan Friedman, Senior Advisor and Strategist, CISA
Friedman said another option is creating an SBOM for “legacy software by looking at the compiled software that has already been built and using an analysis tool about what are the components of it.”
He said, “This document drafted by the community clarifies these and other types of software SBOMs so that the community and both toolmakers and people who use SBOM data better understand the nuance of how the SBOM was created.”
Friedman is a senior advisor and strategist at CISA who leads the agency’s efforts around SBOM.
CISA published two documents on VEX in 2022 focused on recommended minimum data elements and status justifications.
“We are very shortly going to be publishing a minimum requirements model for VEX because VEX can be implemented in different data formats and so we want to make sure there is a common model so as people implement it the data can be used by a common tool,” Friedman said.
CISA is also working on a joint collaboration with the Energy Department on sharing SBOMs.
“We always like to collaborate with our peers in the government and other experts around software security,” Friedman said, “so this is work that has been collaborative between the Department of Energy National Labs and CISA to think about how we can share SBOM data, how do we move it around the supply chain as it moves from a supplier to a customer, and then that customer may in turn use the software in making another product they sell to another customer.”
The focus is on “tracking this data and defining the challenges of how we share not just SBOM data but lots of other types of software metadata,” Friedman said. CISA has collaborated with Idaho National Laboratory “in particular,” Friedman said, while adding that “multiple labs supported the effort.”
Interest in SBOM has increased significantly since its inclusion in the 2021 cyber executive order to secure federal networks. The National Telecommunications and Information Administration developed a minimum elements for an SBOM report as required under the EO and NIST published subsequent guidance for agencies.
SBOM is also addressed in a memorandum from the Office of Management and Budget establishing a self-attestation security policy for software purchased by federal agencies using NIST’s Secure Software Development Framework.
Friedman said, “The executive order makes it clear that we need more software assurance processes in the software we are selling. This dovetails quite nicely with the long term to CISA’s emphasis on secure-by-design that Director [Jen Easterly] laid out a vision for in her lecture at Carnegie Mellon” on Feb. 27.
“SBOM is important, but it is not the only piece and we need to do as much we can to encourage the software we are using to be more secure out of the box. One of the other things the Director has emphasized is how do we emphasize things like memory safety and, of course, that is going to be a longer process,” Friedman said.
He added, “There are a lot of different pieces as we move toward secure-by-design, some of it laid out in section four of the executive order such as making sure the build process is separate from the development environment and SBOM and some other more ambitious longer-term process.”
CISA is continuing to have interagency discussions around the “exact mechanics of EO implementation,” Friedman said, led by a new CISA office focused on supply chain and other “technical experts on software assurance.”
Friedman said, “We are also continuing to have conversations across both the federal civilian government and DOD on what SBOM implementation means for them.”
This includes “everything on how to start asking for SBOMs from their suppliers independent of the EO, and what do we do with SBOMs.” As more agencies are creating their own software, Friedman said there is also a discussion on how to “make sure there are enough resources for them to think through this process.”
CISA is working with a “number of different parts of DOD” on SBOM, Friedman said, including “particular” military services and the DOD Office of the CIO as well as offices at the under secretary of defense level for acquisition and testing. -- Sara Friedman (email@example.com)