NTIA Advances SBOM Guidelines Without Definitive Timeline
Standardizing data shared on software components is vital for identifying cyber vulnerabilities and will have an impact across industries, stakeholders told NTIA Thursday. The agency held a virtual meeting on the multistakeholder process on software component transparency (see 2006180024).
NTIA’s goal is to standardize software component data sharing so entities and users can better understand networks, which will help identify risks and affected components. NTIA plans to issue guidance for a software bill of materials. SBOMs list software components.
The agency hasn’t released a formal timeline. “The NTIA SBOM initiative is driven by stakeholders, and they are ultimately responsible for setting timetables, defining deliverables and reaching consensus,” a spokesperson emailed.
NTIA Director-Cybersecurity Initiatives Allan Friedman highlighted the importance of guidance. He cited a recent Snyk survey, in which 60 percent of respondents say lack a “good view into the full dependency trees of their software.” This means it’s difficult to identify newly discovered vulnerabilities, Friedman said. Survey participants included officials in software development, security and infrastructure/operations. Progress on the initiative has been “subtle” but “impactful,” said Food and Drug Administration Cyber Policy Adviser Jessica Wilkerson.
There are no “global authoritative sources to obtain the values for the Component Name in SBOM data,” according to materials the framing group provided. Two entities that compile SBOMs might use different values for the same component. Lack of clarity can make it difficult to map an “component to vulnerability data, license data, or other data,” wrote working group co-chairs Michelle Jump, MedSec's Global Regulatory Advisor-Medical Device Cybersecurity, and Art Manion, a senior member of the vulnerability analysis team at Carnegie Mellon University's Software Engineering Institute. It makes it difficult for entities potentially hit in a cyberattack to determine if they are affected and where the affected software is used, Jump said.
The framing WG has documents in progress, said Jump. Those include software identity discussion and guidance and the sharing and exchanging of SBOMs. The healthcare proof-of-concept and framing working groups are collaborating, providing upstream SBOMs and test framing phase 1 concepts, they informed stakeholders in presentations. The framing WG next steps are to continue working on identification and sharing papers, contribute to the healthcare group’s proof of concept and potentially identify suppliers.