On July 12th the NTIA and the Department of Commerce released a document of interest to any software developer:
The Executive Order (14028) on Improving the Nation’s Cybersecurity directs the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), to publish the “minimum elements” for a Software Bill of Materials
An SBOM is a formal record containing the details and supply chain relationships of various components used in building software.
You have to include this for any of the elements or third party tools included in your software. Say you utilize a WYSIWYG Rich Text editor from a popular company or even a proprietary CSS/JQuery template, you need to track these bills of material as closely you do your own code.
You need the following data fields:
- Component Name
- Version of the Component
- Other Unique Identifiers
- Dependency Relationship
- Author of SBOM
- Data Timestamp.
You must include thew ability to automate (this means including a parser and publishing metadata) using one of the following
- SWID tags.
An SBOM is much more than just metadata. You need to include your policy and procedures around security and updates. You need to include:
- Known Unknowns
- Distribution and Delivery
- Access Control
- Accommodation of Mistakes.
The paper released goes into much greater detail on all of these elements.
As a coalition we want businesses to focus on automation of compliance. We also see software development as a huge growth opportunity for the state and want to help any small business who wants to learn the ins and outs of selling software to the government.
(CMMC just Department of Defense now but Supply Chain Risk Management with a -171 baseline to protect CUI coming for all agencies and all contractors. Please track the changes related to Executive Order (14028) on Improving the Nation’s Cybersecurity)