NTIA Working Groups Want Uniform SBOM Standards to Improve Cybersecurity
Uniform software bill of materials (SBOM) standards will lead to more cyber-secure industry and government entities (see 1806060036), NTIA working group officials said Wednesday on a conference call. The agency is gathering feedback from software vendors, IoT manufacturers, medical device manufacturers, civil society and various sectors to improve transparency of software components and digital security.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The agency will hold an in-person meeting April 11 in Washington. NTIA’s multistakeholder process was started after recommendations from a report to the president on botnets (see 1805300065).
NTIA’s SBOM practices working group summarized that current SBOMs contain “similar information” but are “not uniform, not pervasive” and could be improved with harmonization, amplification and innovation enhancements. Harmonization would mean more “standard, machine readable” data enabled by build tools and software composition analysis tools. Amplification entails “greater adoption” of SBOM production, and innovation would involve capturing more categories of data.
NTIA materials distributed Wednesday show the mission is to convey how manufacturers and vendors can communicate “useful and actionable” information about third-party/embedded software components that “comprise modern software and IoT devices.” The goal is to offer transparent data to promote better security decisions and practices, NTIA said. The scope entails the auto, financial, healthcare and IT industries.
Modern software resulted in highly complex supply chains, NTIA said. A lack of transparency into system functionality creates cyber risks and added costs for development, procurement and maintenance, the agency said. Increased costs and risks affect organizations as well as public safety and national security, it said.
The agency listed objectives that can reduce risk and cost: greater identification of vulnerable systems and incident root causes; greater free market choice of goods, resulting in greater investment return; and standardized SBOM structure across sectors.
One goal is to create a “greater line of sight” for downstream flaws in vulnerability management like those seen during the 2016 Hollywood Presbyterian Medical Center ransomware event, said PTC Chief Security Officer Josh Corman. Greater clarity at “each handoff” creates “a final, aggregate inventory of parts or ingredients that may have been impacted during an active attack,” he said.