There’s a lot of news on the SBOM
front today – especially the energy SBOM front. When I don’t feel like taking
the time to organize a post (or I’m too tired, as I am tonight), I do it as a
set of bullet points. Today’s post is one of those.
·
The fourth and last of
the NTIA’s introductory webinars on SBOMs for the energy industry was held on
Monday, and was once again quite successful. The video was just posted. While the three
previous webinars have mostly featured people who aren’t part of the energy
industry (but have a lot of knowledge and experience with SBOMs), this one
consisted almost entirely of people from the industry.
·
The purpose of this
webinar was unabashedly to get people in the energy industry excited (or at
least curious) about the upcoming proof of concept for use of SBOMs in the
industry. In fact, Dr. Allan Friedman concluded the webinar with what I’ve been
calling an “altar call”, in which he asked members of the industry – both asset
owners that use software (as if there’s any organization in the world that
doesn’t use software in one form or another nowadays!) and the suppliers of
that software – to (virtually) make the commitment to…what? Join the PoC?
·
No, Allan announced
that the organizational meeting for the PoC (virtual, of course) will be held on
Monday April 26 at 1PM Eastern Time; connection information will be available
next week, and I’ll publish it in my blog then. If you would like to get on
Allan’s mailing list, drop him an email at afriedman@ntia.gov.
I don’t know whether he’ll send out an actual calendar invitation, but I’m sure
something will go out with the connection information.
·
Who’s welcome at the
meeting? Attendance is strictly limited to people who are in some way
associated with the energy industry (if for no other reason than that they’re
users of electric power) and have a working knowledge of English. I’m sorry,
but we had to draw the line somewhere…
·
The speakers at the
meeting all expressed their support for the PoC. They included:
1.
Tony Eddleman,
Nebraska Public Power District and chairman of the NERC Supply Chain Working
Group
2.
Jeff Sweet, AEP (Jeff spoke
during the Q&A period, but spoke nevertheless!)
3.
Cheri Caddy of US
Department of Energy CESER, who has been very involved in getting this PoC off
the ground
4.
Cassie Crossley of
Schneider Electric
5.
Bryan Owen of OSISoft
6.
Val Agnew, North American
Transmission Forum
7.
Stephanie Toussaint of
Edison Electric Institute
·
At the end of the
meeting, Allan issued his altar call, and also introduced the two people he’s
chosen to lead the PoC. They are Virginia Wright of Idaho National Labs and…hmm,
can’t remember the name…oh yes, Tom Alrich of Tom Alrich LLC. He introduced the
latter person as a “blogger”, but everyone knows you can’t make a living off of
a blog, so I remain suspicious of the guy.
·
Now I’m going to talk
a little about the PoC itself. While the schedule, agenda, rules, etc. will all
be determined by the participants themselves (remember, NTIA isn’t in the
business of telling people what to do. The Software Transparency Initiative is one
of a number of “multistakeholder processes” sponsored by NTIA, in which the goal
is to help members of an industry cooperatively figure out how best to
implement or improve a new technology. What comes out the other end of the
process is up to the participants, although Allan is quite good at helping the
participants figure out what they perhaps meant all along), I am sure that the
energy PoC will in general follow the path of the healthcare PoC, which started
in 2018 and is still going strong (they’re actually in about their fifth iteration
of the PoC, with each iteration getting more ambitious in terms of what’s included).
So this is based on what I know of the healthcare PoC (which is a lot, since I’ve
been attending their weekly meetings for months).
·
There will be two
tracks of activity. The first track to get going – in fact, the meeting on the
26th can be considered the first meeting of that track – is the
public track. That track will start with a series of informational meetings
that will really start to get into the details of SBOMs, how they are produced
and distributed, as well as some of the use cases (although new use cases seem
to pop up all the time. SBOMs are very useful). The time and frequency of those
meetings are still TBD (hopefully they’ll get decided on the 26th).
·
Anyone involved with
the energy industry is welcome to attend these Track 1 meetings. In fact, these
meetings may be much larger than even I thought they would be before today,
because it turns out there may be a number of participants from the oil and gas
industry as well. Of course, they’re “energy”, too, but frankly all of our
recruitment efforts so far have focused on electric power. Since O&G shares
many of the same technologies and suppliers with the power industry, it makes
sense to join forces, especially in the educational track of the PoC. Welcome,
O&G!
·
Track 2 will be the
actual proof of concept. This will consist of a relatively small group of asset
owners and suppliers (the healthcare PoC started off with about five large
hospitals – or healthcare delivery organizations, as they call themselves - and
five medical device makers, although their numbers have grown since 2018) that
will agree on rules and formats; all will sign a mutually agreed-upon NDA. The
suppliers in this group will test producing SBOMs (although lots of software suppliers
produce them now) and the asset owners will test “consuming” them – especially
using them for mitigating supply chain cybersecurity risk (of course, there are
other use cases like licensing, since SBOMs can contain license information as
well).
·
It is very likely that
the Track 2 team will also decide to invite two other categories of
participants to join: a) vendors of tools for configuration and/or vulnerability
management (as well as some other categories), that would logically need to “ingest”
SBOMs in order to be able to track and manage software component
vulnerabilities; and b) vendors of services that “process” SBOMs to make the
information easier to use for the asset owners. The decision will be up to the current
participants in the PoC (Track 2), but I strongly support doing that, since I
think these vendors are what will enable the widespread use of SBOMs.
·
But don’t get the idea
that Track 1 is a dead-end track. While only the Track 2 people will see the SBOMs
produced in the PoC, issue resolution, discussion of lessons learned, and
production of the final report will all be done in Track 1. I’ve been attending
the healthcare PoC’s track 1 meetings, and I can assure you that the final
decisions on issues and lesson learned get made in Track 1, not Track 2.
The moral of this story is that you’re
not being required to commit to do anything more now than come and learn about
SBOMs. I can guarantee this isn’t something you can grab a quick course on at your
local community college. The NTIA Software Transparency Initiative is leading
the way toward SBOMs (although I’ll refrain from any metaphors comparing Allan
Friedman to Moses at this point. I’ve already compared him to a minister); as I
said in this
post, this is an opportunity to become part of the solution.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment