New guidance from lead cybersecurity agencies identifies Software Bills of Materials as a critical factor in ensuring security during the software acquisition process.
The advisory from the Enduring Security Framework’s Software Supply Chain Working Panel covers recommended best practices for customers. It runs through considerations software buyers should use across the acquisition, deployment, operational phases of a software supply chain.
The ESF recommends agencies use SBOMs to verify the contents of a software product during the evaluation phase of an acquisition.
“This verification should include attributes such as geolocation, supplier ownership or control, Data Universal Numbering System (DUNS) verification, and past performances,” the guidance states. It also recommends subjecting third-party suppliers identified in the SBOM to a similar evaluation.
The ESF is a group of agency and industry experts, led by the National Security Agency. It also includes involvement from the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence.
The latest guidance is the third part of a series that has also covered best practices for software developers and suppliers, respectively.
The endorsement of the SBOM concept by the NSA and other key cyber stakeholders is notable as both the Biden administration and Congress consider potential software security requirements. The technology industry has pushed back against legislation that would broadly require the use of SBOMs across federal contracting.
The ESF advisory suggests SBOMs are crucial when contracting for secure software.
A possible “threat scenario” that could lead to a higher risk of disruption or compromise, it states, is when an SBOM “is missing entirely or lacks a means to ensure the integrity of the product.” It suggests software customers require a supplier to send all software artifacts in a “standardized SBOM format.” The supplier should also provide SBOMs for all software upgrades, it adds.
Natalie Pittore, chief of the ESF at the NSA, said the practices outlined in the latest document “are applicable across diverse industries,” including national security systems.
“We encourage organizations to identify what practices are most applicable and suitable for their software security needs,” she wrote in emailed response to questions from Federal News Network.
Agencies are digesting a bevy of new software security practices and guidance released over the past year.