CISA Executive Assistant Director Eric Goldstein

A Cybersecurity and Infrastructure Security Agency (CISA) executive explained the role of software bill of materials (SBOM) in open source and supply chain security during this week’s Rubrik Data Security Summit. The comments followed a White House push for transparency into software components. 

The federal government is trying to drive the adoption of SBOM and strong security practices such as the software security development framework National Institute of Standards and Technology (NIST) recently released, CISA Executive Assistant Director Eric Goldstein noted.  

An SBOM is a list of all the components, libraries, and modules that are required to build a piece of software. It includes both closed and open source code, and it details the supply chain relationships between the components to enable software transparency and security analysis.

SBOM “does not enable security itself, but does enable visibility into the open source libraries and packages being used in a given software product and thereby enabling further security and control,” Goldstein said. 

It is “a logical extension of that philosophy of being able to really understand not just the first order software that you are operating in your environment, but also the components and libraries and dependencies of that software,” he added. “So you can drive transparency, control, security, and mitigation more deeply into your environment.”

Soon after the Log4j vulnerability was discovered, security analysts noted that “a set of accurate SBOMs would help organizations target their responses to the vulnerable components in their environments,” Forrester analysts wrote.

However, SBOM is not a full security solution. Organizations also need to focus on driving consistency in automation machine readability to make SBOM more ingestible and scalable for organizations of any size, and propelling the use of SBOM to have more transparency into identified risks for prioritized and faster mitigation.

Combining SBOM with appropriate testing and controls, “we can drive down the prevalence of exploitable vulnerabilities in newly released code while still enabling further maturation and investing in the critical open source ecosystem,” Goldstein said.

He also pointed out that open source security should be a whole community effort, and the government is one of the contributors, “but doesn't need to be a principal mover in all aspects of this problem space.”

“There is an extraordinary effort going on today in the open source community and supported by some of the nation's biggest technology companies to drive improvement and drive investments,” he added.

The Biden administration this week further pushed for the use of SBOM. Building on President Biden’s Executive Order to improve the nation’s cybersecurity posture, the administration announced federal agencies will have to verify that all third-party IT software deployments comply with the NIST security requirements and get proof of conformance from vendors.

The guidance suggests agencies obtain from software producers artifacts that demonstrate conformance to secure software development practices, such as SBOM. 

Federal agencies will have to inventory all software and create a separate inventory for critical software within 90 days, according to the memo. Within 120 days of the announcement, agencies will also need to develop a line of communication for relevant requirements and collect letters of attestation from software providers.