Amelia Brust/Federal News Network
Cybersecurity
NSA, CISA call on software developers, suppliers to improve open source software management practices
Artificial Intelligence
DARPA competition will use AI to find, fix software vulnerabilities
Cybersecurity
CISA, DHS eye open source software use in critical infrastructure
Federal Newscast
Postal Service agrees to provide more transparency during election season
Commentary
Dispelling myths in the federal use of open source software
Federal Tech Talk
Cybersecurity in federal IT
Technology
How a bill of materials prevents an agency from buying a bill of goods
Ask the CIO
When it comes to open source, culture continues to eat strategy, policy for lunch
Federal Tech Talk
Open source: An efficient way to handle data
Federal Tech Talk
Improving cybersecurity with open source software
Federal Tech Talk
Sonatype: Secure code with less hassle
What's Working in Washington
Why cybersecurity has an open-source solution
Federal Tech Talk
Taming and modernizing the 'beast'
Commentary
Get out of the 5-year rut: Modernize your IT in just 1 year
What's Working in Washington
Open-source software is every company's vulnerable backbone
(AP Photo/Susan Walsh)
![The National Security Agency and the Cybersecurity and Infrastructure Agency’s latest guidance offers software developers and suppliers a set of recommendations on how to securely source and store open source software, as open source tech use has skyrocketed in the last few years
<a href="https://media.defense.gov/2023/Dec/11/2003355557/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20MANAGING%20OPEN%20SOURCE%20SOFTWARE%20AND%20SOFTWARE%20BILL%20OF%20MATERIALS.PDF">The new document</a> from the Enduring Security Framework (ESF) Software Supply Chain Working Group focuses on open source software adoption and things to consider when introducing an open source component to the existing environment. The guidance also covers best practices for Software Bill of Materials (SBOMs) management.
Titled 'Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials,' the guidance expands on a June 2023 memo from the Office of Management and Budget, which <a href="https://federalnewsnetwork.com/cybersecurity/2023/06/white-house-extends-secure-software-attestation-deadlines-offers-clarifying-guidance/">directed</a> agencies to begin collecting attestations for critical software and clarified that agencies only have to collect attestations from the producer of the software end product. The document also builds on the <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3221208/esf-partners-nsa-and-cisa-release-software-supply-chain-guidance-for-customers/">previously released</a> series of recommended practices guides for securing the software supply chain.
“This guidance may be used to describe, assess and measure security practices relative to the software lifecycle. Additionally, the suggested practices listed herein may be applied across a software supply chain’s acquisition, deployment and operational phases,” the report stated.
The document delves into open source software management; creating and maintaining a company internal secure open-source software repository; open-source software maintenance, support and crisis management; code signing and secure software delivery; and SBOM creation, validation and artifacts.
The guidance also highlights seven areas of improvement related to software development and open-source software, including open-source selection criteria, risk assessment, licensing, export control, maintenance, vulnerability response and secure software and SBOM delivery.
Given the complexity of securing the software supply chain, the document will continue to evolve. The working group urges suppliers and developers to track CISA’s website for SBOM updates and clarifications. Additionally, CISA facilitates vulnerability exploitability exchange (VEX) discussions with the SBOM community and has information and resources on defining VEX minimum elements, use cases, and status justifications.
“Understanding the provenance of SBOMs are clearly where rubber hits the road, however organizations need the capability to both consume and proactively use those SBOMs. If they don’t, then SBOMs merely become shelfware until there’s an incident or a known vulnerability. SBOMs are a critical piece of supply chain risk management,” Jon Boyens, the deputy chief of the Computer Security Division at the National Institute of Standards and Technology, <a href="https://federalnewsnetwork.com/cybersecurity/2023/10/nist-researchers-take-on-software-supply-chain-questions/">told</a> Federal News Network in an interview in October.
“But they’re not a silver bullet, and they require an organization to have a broader and deeper vulnerability management program established in order to really reap the benefits of SBOMs,” he added.
The ESF’s guidance on securing the software supply chain from last year <a href="https://federalnewsnetwork.com/cybersecurity/2022/11/nsa-backs-sbom-requirements-in-latest-secure-software-advisory/">identified</a> SBOMs as a critical to the software acquisition process and recommended that agencies use SBOMs during the evaluation phase of an acquisition.
CISA also facilitates workstreams led by the National Telecommunications and Information Administration on <a href="https://www.ntia.gov/other-publication/2021/ntia-software-component-transparency">SBOMs-related topics</a>, including cloud and online applications, on-ramps and adoption, sharing and exchanging and tooling and implementation.
Recent high-profile software supply chain incidents, including SolarWinds and Log4J, have promoted organizations to address weaknesses within the software supply chain. President Joe Biden’s cybersecurity executive order released in 2021 established new requirements for securing the federal government’s software supply chain, signaling the beginning of the administration’s commitment to a more secure software supply chain. Earlier this year, the White House released the National Cybersecurity Strategy, which called for the shift of the burden for cybersecurity to vendors and for software providers to introduce more secure software development practices.
The ESF Software Supply Chain Working Group, led by the NSA, Office of the Director of National Intelligence (ODNI), CISA and industry partners is just one of the government-wide efforts to address the need for software supply chain security guidance.]()
![The National Security Agency and the Cybersecurity and Infrastructure Agency’s latest guidance offers software developers and suppliers a set of recommendations on how to securely source and store open source software, as open source tech use has skyrocketed in the last few years
<a href="https://media.defense.gov/2023/Dec/11/2003355557/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20MANAGING%20OPEN%20SOURCE%20SOFTWARE%20AND%20SOFTWARE%20BILL%20OF%20MATERIALS.PDF">The new document</a> from the Enduring Security Framework (ESF) Software Supply Chain Working Group focuses on open source software adoption and things to consider when introducing an open source component to the existing environment. The guidance also covers best practices for Software Bill of Materials (SBOMs) management.
Titled 'Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials,' the guidance expands on a June 2023 memo from the Office of Management and Budget, which <a href="https://federalnewsnetwork.com/cybersecurity/2023/06/white-house-extends-secure-software-attestation-deadlines-offers-clarifying-guidance/">directed</a> agencies to begin collecting attestations for critical software and clarified that agencies only have to collect attestations from the producer of the software end product. The document also builds on the <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3221208/esf-partners-nsa-and-cisa-release-software-supply-chain-guidance-for-customers/">previously released</a> series of recommended practices guides for securing the software supply chain.
“This guidance may be used to describe, assess and measure security practices relative to the software lifecycle. Additionally, the suggested practices listed herein may be applied across a software supply chain’s acquisition, deployment and operational phases,” the report stated.
The document delves into open source software management; creating and maintaining a company internal secure open-source software repository; open-source software maintenance, support and crisis management; code signing and secure software delivery; and SBOM creation, validation and artifacts.
The guidance also highlights seven areas of improvement related to software development and open-source software, including open-source selection criteria, risk assessment, licensing, export control, maintenance, vulnerability response and secure software and SBOM delivery.
Given the complexity of securing the software supply chain, the document will continue to evolve. The working group urges suppliers and developers to track CISA’s website for SBOM updates and clarifications. Additionally, CISA facilitates vulnerability exploitability exchange (VEX) discussions with the SBOM community and has information and resources on defining VEX minimum elements, use cases, and status justifications.
“Understanding the provenance of SBOMs are clearly where rubber hits the road, however organizations need the capability to both consume and proactively use those SBOMs. If they don’t, then SBOMs merely become shelfware until there’s an incident or a known vulnerability. SBOMs are a critical piece of supply chain risk management,” Jon Boyens, the deputy chief of the Computer Security Division at the National Institute of Standards and Technology, <a href="https://federalnewsnetwork.com/cybersecurity/2023/10/nist-researchers-take-on-software-supply-chain-questions/">told</a> Federal News Network in an interview in October.
“But they’re not a silver bullet, and they require an organization to have a broader and deeper vulnerability management program established in order to really reap the benefits of SBOMs,” he added.
The ESF’s guidance on securing the software supply chain from last year <a href="https://federalnewsnetwork.com/cybersecurity/2022/11/nsa-backs-sbom-requirements-in-latest-secure-software-advisory/">identified</a> SBOMs as a critical to the software acquisition process and recommended that agencies use SBOMs during the evaluation phase of an acquisition.
CISA also facilitates workstreams led by the National Telecommunications and Information Administration on <a href="https://www.ntia.gov/other-publication/2021/ntia-software-component-transparency">SBOMs-related topics</a>, including cloud and online applications, on-ramps and adoption, sharing and exchanging and tooling and implementation.
Recent high-profile software supply chain incidents, including SolarWinds and Log4J, have promoted organizations to address weaknesses within the software supply chain. President Joe Biden’s cybersecurity executive order released in 2021 established new requirements for securing the federal government’s software supply chain, signaling the beginning of the administration’s commitment to a more secure software supply chain. Earlier this year, the White House released the National Cybersecurity Strategy, which called for the shift of the burden for cybersecurity to vendors and for software providers to introduce more secure software development practices.
The ESF Software Supply Chain Working Group, led by the NSA, Office of the Director of National Intelligence (ODNI), CISA and industry partners is just one of the government-wide efforts to address the need for software supply chain security guidance.]()
![The National Security Agency and the Cybersecurity and Infrastructure Agency’s latest guidance offers software developers and suppliers a set of recommendations on how to securely source and store open source software, as open source tech use has skyrocketed in the last few years
<a href="https://media.defense.gov/2023/Dec/11/2003355557/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20MANAGING%20OPEN%20SOURCE%20SOFTWARE%20AND%20SOFTWARE%20BILL%20OF%20MATERIALS.PDF">The new document</a> from the Enduring Security Framework (ESF) Software Supply Chain Working Group focuses on open source software adoption and things to consider when introducing an open source component to the existing environment. The guidance also covers best practices for Software Bill of Materials (SBOMs) management.
Titled 'Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials,' the guidance expands on a June 2023 memo from the Office of Management and Budget, which <a href="https://federalnewsnetwork.com/cybersecurity/2023/06/white-house-extends-secure-software-attestation-deadlines-offers-clarifying-guidance/">directed</a> agencies to begin collecting attestations for critical software and clarified that agencies only have to collect attestations from the producer of the software end product. The document also builds on the <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3221208/esf-partners-nsa-and-cisa-release-software-supply-chain-guidance-for-customers/">previously released</a> series of recommended practices guides for securing the software supply chain.
“This guidance may be used to describe, assess and measure security practices relative to the software lifecycle. Additionally, the suggested practices listed herein may be applied across a software supply chain’s acquisition, deployment and operational phases,” the report stated.
The document delves into open source software management; creating and maintaining a company internal secure open-source software repository; open-source software maintenance, support and crisis management; code signing and secure software delivery; and SBOM creation, validation and artifacts.
The guidance also highlights seven areas of improvement related to software development and open-source software, including open-source selection criteria, risk assessment, licensing, export control, maintenance, vulnerability response and secure software and SBOM delivery.
Given the complexity of securing the software supply chain, the document will continue to evolve. The working group urges suppliers and developers to track CISA’s website for SBOM updates and clarifications. Additionally, CISA facilitates vulnerability exploitability exchange (VEX) discussions with the SBOM community and has information and resources on defining VEX minimum elements, use cases, and status justifications.
“Understanding the provenance of SBOMs are clearly where rubber hits the road, however organizations need the capability to both consume and proactively use those SBOMs. If they don’t, then SBOMs merely become shelfware until there’s an incident or a known vulnerability. SBOMs are a critical piece of supply chain risk management,” Jon Boyens, the deputy chief of the Computer Security Division at the National Institute of Standards and Technology, <a href="https://federalnewsnetwork.com/cybersecurity/2023/10/nist-researchers-take-on-software-supply-chain-questions/">told</a> Federal News Network in an interview in October.
“But they’re not a silver bullet, and they require an organization to have a broader and deeper vulnerability management program established in order to really reap the benefits of SBOMs,” he added.
The ESF’s guidance on securing the software supply chain from last year <a href="https://federalnewsnetwork.com/cybersecurity/2022/11/nsa-backs-sbom-requirements-in-latest-secure-software-advisory/">identified</a> SBOMs as a critical to the software acquisition process and recommended that agencies use SBOMs during the evaluation phase of an acquisition.
CISA also facilitates workstreams led by the National Telecommunications and Information Administration on <a href="https://www.ntia.gov/other-publication/2021/ntia-software-component-transparency">SBOMs-related topics</a>, including cloud and online applications, on-ramps and adoption, sharing and exchanging and tooling and implementation.
Recent high-profile software supply chain incidents, including SolarWinds and Log4J, have promoted organizations to address weaknesses within the software supply chain. President Joe Biden’s cybersecurity executive order released in 2021 established new requirements for securing the federal government’s software supply chain, signaling the beginning of the administration’s commitment to a more secure software supply chain. Earlier this year, the White House released the National Cybersecurity Strategy, which called for the shift of the burden for cybersecurity to vendors and for software providers to introduce more secure software development practices.
The ESF Software Supply Chain Working Group, led by the NSA, Office of the Director of National Intelligence (ODNI), CISA and industry partners is just one of the government-wide efforts to address the need for software supply chain security guidance.]()
![The National Security Agency and the Cybersecurity and Infrastructure Agency’s latest guidance offers software developers and suppliers a set of recommendations on how to securely source and store open source software, as open source tech use has skyrocketed in the last few years
<a href="https://media.defense.gov/2023/Dec/11/2003355557/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20MANAGING%20OPEN%20SOURCE%20SOFTWARE%20AND%20SOFTWARE%20BILL%20OF%20MATERIALS.PDF">The new document</a> from the Enduring Security Framework (ESF) Software Supply Chain Working Group focuses on open source software adoption and things to consider when introducing an open source component to the existing environment. The guidance also covers best practices for Software Bill of Materials (SBOMs) management.
Titled 'Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials,' the guidance expands on a June 2023 memo from the Office of Management and Budget, which <a href="https://federalnewsnetwork.com/cybersecurity/2023/06/white-house-extends-secure-software-attestation-deadlines-offers-clarifying-guidance/">directed</a> agencies to begin collecting attestations for critical software and clarified that agencies only have to collect attestations from the producer of the software end product. The document also builds on the <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3221208/esf-partners-nsa-and-cisa-release-software-supply-chain-guidance-for-customers/">previously released</a> series of recommended practices guides for securing the software supply chain.
“This guidance may be used to describe, assess and measure security practices relative to the software lifecycle. Additionally, the suggested practices listed herein may be applied across a software supply chain’s acquisition, deployment and operational phases,” the report stated.
The document delves into open source software management; creating and maintaining a company internal secure open-source software repository; open-source software maintenance, support and crisis management; code signing and secure software delivery; and SBOM creation, validation and artifacts.
The guidance also highlights seven areas of improvement related to software development and open-source software, including open-source selection criteria, risk assessment, licensing, export control, maintenance, vulnerability response and secure software and SBOM delivery.
Given the complexity of securing the software supply chain, the document will continue to evolve. The working group urges suppliers and developers to track CISA’s website for SBOM updates and clarifications. Additionally, CISA facilitates vulnerability exploitability exchange (VEX) discussions with the SBOM community and has information and resources on defining VEX minimum elements, use cases, and status justifications.
“Understanding the provenance of SBOMs are clearly where rubber hits the road, however organizations need the capability to both consume and proactively use those SBOMs. If they don’t, then SBOMs merely become shelfware until there’s an incident or a known vulnerability. SBOMs are a critical piece of supply chain risk management,” Jon Boyens, the deputy chief of the Computer Security Division at the National Institute of Standards and Technology, <a href="https://federalnewsnetwork.com/cybersecurity/2023/10/nist-researchers-take-on-software-supply-chain-questions/">told</a> Federal News Network in an interview in October.
“But they’re not a silver bullet, and they require an organization to have a broader and deeper vulnerability management program established in order to really reap the benefits of SBOMs,” he added.
The ESF’s guidance on securing the software supply chain from last year <a href="https://federalnewsnetwork.com/cybersecurity/2022/11/nsa-backs-sbom-requirements-in-latest-secure-software-advisory/">identified</a> SBOMs as a critical to the software acquisition process and recommended that agencies use SBOMs during the evaluation phase of an acquisition.
CISA also facilitates workstreams led by the National Telecommunications and Information Administration on <a href="https://www.ntia.gov/other-publication/2021/ntia-software-component-transparency">SBOMs-related topics</a>, including cloud and online applications, on-ramps and adoption, sharing and exchanging and tooling and implementation.
Recent high-profile software supply chain incidents, including SolarWinds and Log4J, have promoted organizations to address weaknesses within the software supply chain. President Joe Biden’s cybersecurity executive order released in 2021 established new requirements for securing the federal government’s software supply chain, signaling the beginning of the administration’s commitment to a more secure software supply chain. Earlier this year, the White House released the National Cybersecurity Strategy, which called for the shift of the burden for cybersecurity to vendors and for software providers to introduce more secure software development practices.
The ESF Software Supply Chain Working Group, led by the NSA, Office of the Director of National Intelligence (ODNI), CISA and industry partners is just one of the government-wide efforts to address the need for software supply chain security guidance.]()
Federal Drive
Tony Scott: The MS/Github merger and federal software development
On DoD
Amid congressional mandate to open source DoD's software code, Code.mil serves as guidepost
Federal Tech Talk
Can open source help agencies manage big data?
Federal Tech Talk
Elastic: The power behind the (digital) throne
Technology
New OMB policy pushes agencies to actively build and share 'People's Code'
Federal Tech Talk
“When data moves, Intel helps you win”
Federal Tech Talk
A deeper look at GSA's 18F program
