NSA and ESF partners publish recommended practices for consuming software BOMs

FORT MEADE, Md. – The National Security Agency (NSA), the Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA) and industry partners have released a cybersecurity technical report (CTR), “Securing the Software Supply Chain: Recommended Practices for the Software Bill of Materials Consumption.” The guidance in this release helps software developers, vendors, and customer stakeholders ensure software integrity and security through contractual agreements, software releases and updates, notifications, and vulnerability remediation.

The report was developed by the Enduring Security Framework (ESF) Software Supply Chain Working Group, an NSA, ODNI, and CISA led public-private cross-sector group, to provide details of recommended practices as a basis for describing, assessing, and measuring security practices against software life cycle. It builds on the paper “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” published by the Office of Management and Budget (OMB).

Essentially, SBOM provides critical software visibility for improved patch and vulnerability management for customers, as well as potentially mitigating supply chain risks,” said Jorge Laurel, Head of Enduring Security Framework. “The latest ESF release provides best practices for SBOM consumption with the goal of increasing cybersecurity in organizations as well as the supply chain as a whole.”

The co-authors of the ESF report observe an increase in cyber-attacks that highlight weaknesses in software supply chains. This in turn increases the potential for supply chains to be weaponized by national state adversaries who can gain access to software in a number of ways, including but not limited to the following: exploiting design flaws, incorporating vulnerable third-party components into a software product, infiltrating the vendor’s network with malicious code prior to the final delivery of the product, and injecting malware into the software installed in the customer environment.

Following these observations, the report provides guidance consistent with industry best practices and principles, including managing open source software and software bill of materials (SBOM) to maintain and raise awareness of software security. Specifically, the report details SBOM consumption, lifecycle, risk scoring, and operational implementation with the goal of increasing transparency in the software management cycle and providing organizations with access to risk information.

“BlackBerry welcomes the ESF’s guidance on SBOM consumption,” said Christine Gadsby, VP Product Security, BlackBerry. “The availability of an accurate, comprehensive view and categorization of all software components is a game-changer for software supply chain security, allowing for a real-time and risk-based mitigation response to supply chain vulnerabilities, particularly for an entity’s most critical assets.”

READ MORE  Summary of early tax software offerings reported by Retail Fuse

Read the full report now.

Read the related publications:

Visit our entire library for more cybersecurity information and technical guidance.

Related Articles

Back to top button