SAP Logo LeanIX is now part of SAP

SBOM News: CISA Details New Open-Source Software Regulation

Posted by Neil Sheppard on May 8, 2023


Software Bill of Materials (SBOM) requirements have been under review by the US government for some time now. Find out more about the latest guidance from the US Cybersecurity and Infrastructure Security Agency (CISA).

Software Bill of Materials (SBOM) regulation marches another step closer. On April 17, 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) released its report outlining guidelines for the SBOM sharing process that all software vendors to the US government will now need to follow.

The report explained further details of the standard the White House expects from software vendors in securing their open source components. It also covered the "enrichment activities" it expects software providers to carry out on SBOMs in order to maximize their effectiveness.

This forms the terms of providing software for the US government going forward. Yet, it will also soon be a template for the cyber security standard that will be expected from software vendors across the world in the future.

Let's explore the preparations you'll need to put in place to remain competitive under this new legislation.

SBOMs: The Story So Far

A Software Bill of Materials (SBOM) is essentially an ingredients list for your software. It documents all the code components that are used in building your product; particularly the open-source elements.

Just as an ingredients list is essential for determining if food is safe for someone with an allergy, an SBOM allows you to determine immediately whether your product is at risk when vulnerabilities are discovered in open-source software. It can then guide you to where your product needs to be updated to fix the vulnerability.

To find out more about why SBOMs matter, read:

SBOMs (Software Bill of Materials): Why Do They Matter?

The Log4Shell remote code execution (RCE) vulnerability discovered in Apache log4j 2 in 2021 brought software supply chain security (SSCS) into the spotlight. Since then, a Synopsis Cybersecurity Research Center survey showed that 97% of 2,409 items of software had open-source software risk. 81% of these were found to have security vulnerabilities.

This is particularly concerning, given that Deloitte found 34% of organizations have had accounting and financial data targeted by cyber criminals. With the number of those organizations that have software risk, it's clear something must be done to increase cyber security.

SBOMs called for by executive order EO14028

This is why the US government has taken action. In May, 2021, the White House issued executive order EO14028: Improving The Nation's Cybersecurity. This called for action from vendors in:

"...providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website"

The document also established a strict timeline for the rollout of this regulation. That timeline is now reaching its end, with all software vendors to the US government required to submit documentation, including SBOMs, by September 14, 2023, or June 11 if the software is deemed critical.

Key for the Biden administration is shifting responsibility for cyber security from the users and businesses who suffer at the hands of cyber criminals to the original creators and vendors of the software. The intention is that software will now be "secure by design", rather than leaving cyber security as an afterthought.

To find out more about the timeline of the US call for SBOMS, read:

SBOM Now Vital For Open Source Software On Executive Order

Both the UK and the EU have followed suit in issuing their own cyber security acts with similar demands. It's clear SBOMs are becoming essential for government software vendors, but it won't be long before consumer vendors will need to follow suit.

With the market cost of cyber crime set to reach USD 10.5 trillion by 2025, enterprise is as at-risk as government. Soon, SBOMs will become standard for all software vendors across all industries.

In the latest update, the US Cybersecurity and Infrastructure Security Agency (CISA) has finally laid out the process it's prescribing for vendors to share SBOMs with the White House. Let's look further into the expectations.

The CISA Standard For SBOM Documentation

On April 17, 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) issued its guidelines for the Software Bill of Materials (SBOM) sharing lifecycle: the SBOM Sharing Lifecycle Report. This document explains how vendors will need to share SBOMs with the White House to fulfill their obligations.

Nevertheless, the document is not intended to be formal legislation. Rather, it's a collaborative document created with industry stakeholders to provide guidance on the best practice for SBOM use.

As such, this document will be vital for software vendors to understand how the industry intends to enact SBOM usage on a large scale. The primary thrust of the message is that SBOMs must be created and shared immediately, rather than created after an incident has occurred.

However, further guidance on the methodology of the sharing was also introduced. One of the new concepts in the document is the idea of low-, medium-, and high-sophistication solutions.

Under this model, more-sophisticated software will require more developed tools to automate the sharing of large software SBOMs in a private transaction or in the cloud. Automatic updates will be provided whenever a change is made to the code.

Medium-sophistication SBOMs can be added to the product source code or made available on the vendor website. While less-sophisticated and less-secure SBOMs can simply be emailed to clients when requested.

The CISA lays out that the more sophisticated an SBOM is, the more access to it will need to be restricted to authorized users. For the most-sophisticated SBOMs, CISA recommends Public Key Infrastructure delegation using certificate signing.

The Key To Enriching SBOMs

The LeanIX value stream management (VSM) platform empowers you to track your software supply chain security (SSCS) and the impacts open-source software risk can have on your business. This means you can rapidly model your software supply chain by discovering direct and transitive relations of software components on service and product level.

Our easy-to-use interface and filtering capabilities allow you to consume SBOMs and prepare them for sharing with your customers. To find out more, get your free trial of LeanIX VSM:

Get a free 14-day trial

Subscribe to the LeanIX Blog and never miss a post again!

Related Posts

Related Resources