NSA backs SBOM requirements in latest secure software advisory

New guidance from lead cybersecurity agencies identifies Software Bills of Materials as a critical factor in ensuring security during the software acquisition process.

The advisory from the Enduring Security Framework’s Software Supply Chain Working Panel covers recommended best practices for customers. It runs through considerations software buyers should use across the acquisition, deployment, operational phases of a software supply chain.

The ESF recommends agencies use SBOMs to verify the contents of a software product during the evaluation phase of an acquisition.

“This verification should include attributes such as geolocation, supplier ownership or control, Data Universal Numbering System (DUNS) verification, and past performances,” the guidance states. It also recommends subjecting third-party suppliers identified in the SBOM to a similar evaluation.

The ESF is a group of agency and industry experts, led by the National Security Agency. It also includes involvement from the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence.

The latest guidance is the third part of a series that has also covered best practices for software developers and suppliers, respectively.

The endorsement of the SBOM concept by the NSA and other key cyber stakeholders is notable as both the Biden administration and Congress consider potential software security requirements. The technology industry has pushed back against legislation that would broadly require the use of SBOMs across federal contracting.

The ESF advisory suggests SBOMs are crucial when contracting for secure software.

A possible “threat scenario” that could lead to a higher risk of disruption or compromise, it states, is when an SBOM “is missing entirely or lacks a means to ensure the integrity of the product.” It suggests software customers require a supplier to send all software artifacts in a “standardized SBOM format.” The supplier should also provide SBOMs for all software upgrades, it adds.

Natalie Pittore, chief of the ESF at the NSA, said the practices outlined in the latest document “are applicable across diverse industries,” including national security systems.

“We encourage organizations to identify what practices are most applicable and suitable for their software security needs,” she wrote in emailed response to questions from Federal News Network.
Agencies are digesting a bevy of new software security practices and guidance released over the past year.

The Office of Management and Budget most recently directed agencies to require software vendors to self-certify that they’re following secure development practices established by the National Institute of Standards and Technology. The guidance encourages agencies to obtain proof from software vendors, potentially including SBOMs.

Officials are also working on new Federal Acquisition Regulation rules around secure software development.

CISA is leading efforts to continue to mature the SBOM concept, while some federal organizations like the Army are already moving toward SBOM adoption.

Pittore said SBOMs will also be a focus of her group’s future work.

“ESF plans on releasing additional software security products,” she said. “Our next releases will provide helpful information on SBOM consumption and extended developer guidance.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.