Optimisation of business and industrial process workflow and automation. Development of sofware for … [+]
getty
Cybersecurity is about risk mitigation, understanding the threats and fortifying gaps in networks and devices. Companies and organizations cannot fully protect digital assets unless they know what software applications you have connected to enterprise networks and devices. With the growth of supply chain attacks, and record number of breaches both to corporations and government agencies, there are efforts underway for more transparency, and accountability of such assets. One initiative is the call for a “Software Bill of Materials” (SBOM).
On May 12, 2021, the White House issued a formal executive order (EO) 14028 aimed at fortifying the nation’s cybersecurity posture, including enhancing software supply chain security. In relation to EO, National Telecommunications and Information Administration (NTIA) issued a notice for public comment in its mandate to publish a list of minimum elements for an SBOM. NTIA proposed a definition of the “minimum elements” of an SBOM that” builds on three broad, inter-related areas: data fields, operational considerations, and support for automation.” Federal Register :: Software Bill of Materials Elements and Considerations
And in October 2021, DHS Software Supply Chain Risk Management Act of 2021 was passed by the U.S. House of Representatives in a 412-2 vote. Under the bill, the Under Secretary for Management will be required to issue department-wide guidelines for identifying materials used in software development. The new guidelines will help modernize DHS’ acquisition process and strengthen cybersecurity by requiring DHS contractors to submit software bills of material identifying the origins of each component in the software provided to the agency. Rep. Ritchie Torres, vice chairman of the House Homeland Security Committee and sponsor of the bill. noted, “As cyberattacks become increasingly frequent and sophisticated, it is crucial that DHS has the capacity to protect its own networks and enhance its visibility into information and communications tech or services that it buys.” DHS Software Supply Chain Cybersecurity Act Passes House Vote; Rep. Ritchie Torres Quoted (executivegov.com)
What is a “Software Bill of Materials” (SBOM)
According to the National Telecommunications and Information Administration (NTIA) at the Department of Commerce, A “Software Bill of Materials” (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. Or more specifically, A SBOM is a “formal record containing the details and supply chain relationships of various components used in building software. These components, including libraries and modules, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.”
Rotary knob with the word risk in red turned to mitigate with a glowing LED switched on
getty
SBOMS and Risk Management
In the past, much of cybersecurity has been reactive and current operational trends are to be strategic and proactive. Because of the expansion of the digital attack surface and new sophisticated hacker tools, companies and agencies need to rely more on informed risk management. That requires a more active application of the NIST Framework that incudes detection, recognition, identification, response, and remediation of threats.
Advancement in area of predictive data analytics and diagnostics to index, provide network traffic analysis, and protect against further incursions is already becoming a growing area of concentration. Also, information security leaders need understand the risks to their business …….