Wednesday, May 12, 2021

Next week might as well be SBOM Week


Next week might as well be called SBOM Week (or maybe “Take your SBOM to work week”), because of all the events that are taking place – four of which you can attend or participate in! Here they are:

1. Joe Biden kicks the week off

It is widely rumored (and was even mentioned in a webinar that I attended last week) that the new Executive Order for software security (although it might not have exactly that title) will be released next week, with Monday the most likely day for it to happen. It’s further rumored – in fact it’s just about certain – that SBOMs will play a prominent role in the EO. Because the order will focus on measures to improve software security of federal agencies, it’s likely the EO will encourage federal agencies to require that software suppliers provide SBOMs with their products. Of course, if suppliers start producing SBOMs for the Feds, they’ll produce them for all of their customers.

However, what I’m hoping the EO doesn’t do is require suppliers to the Feds to start providing SBOMs anytime within say the next 24 months. There are still far too many questions that need to be worked out about how SBOMs will be produced, distributed and used – and most importantly there’s a lack of appropriate software tools that would allow most organizations to easily utilize SBOMs for such purposes as vulnerability management. In this post, I said that it would be best if the EO just said that a rulemaking would begin in say two years. This will give industry (and by the way, the EO will apply to all federal agencies, not just those having to do with the energy industry) time to come to at least rough agreement on the rules of the SBMOM game (see the next item below).

On the other hand, by saying that some sort of mandatory requirement for SBOMs will come at some time in the future, that alone will provide a big wakeup call that SBOMs need to be taken seriously by a) any organization that produces software (for its own use, or use by other organizations), and b) any organization that uses software. Which pretty well covers every organization on the planet - although obviously it’s the larger ones who will derive the most benefit from having SBOMs available.

Another very likely component (no pun intended) of the EO is that it will identify the National Technology and Information Administration (NTIA) of the US Department of Commerce as the lead organization for working out the “rules of the road” for SBOMs. This won’t be any surprise if it happens, since I know of literally no other venue worldwide where rules and procedures for SBOMs are even being discussed (and many people from Europe and Japan regularly participate in the NTIA meetings.

Note from Tom 7:18 PM CT on Wednesday: I should have said the EO will be out "by Monday", not "on Monday". I just received it from Mark Weatherford and I'm going through it now. I'll have a post out tomorrow. It definitely has SBOMs in it and it definitely seems to require them for software sold to the government. When? As of the effective date. Nothing about waiting a year or two. Oh well...

And that leads to the next event in SBOM Week:

2. SBOM Energy Proof of Concept workshop

As I’ve mentioned many times (including in this post from last November), the NTIA’s “laboratories” for developing agreement on rules of the road for SBOMs are Proofs of Concept. The first of these – which is still ongoing, although in a further iteration – was for the healthcare industry (it started in 2018). Now an energy PoC is starting, as well as an Autos PoC (where the big automobile manufacturers are the “consumers” of various electronic components that go in cars, and of course the component manufacturers are the producers. I’m looking forward to the day when I’ll be able to choose a car not just based on whether it has a sunroof, but on how many unpatched software vulnerabilities are found in it).

The energy PoC is starting with a series of workshops – that are open to everybody, as long as you’re a user of electricity. These will discuss what is already accomplished as far as SBOM rules of the road are concerned, as well as what remains to be accomplished. These will not mainly be presentations, but will be quite interactive, including discussions and demonstrations of tools, etc. They’ll be recorded, with the links posted on the PoC’s in-progress website, hosted by those good folks at Idaho National Laboratories (DoE is a co-sponsor of the PoC, along with NTIA).

But note that the goal of the PoC isn’t just education but collaboration – in which software suppliers and users jointly work out the rules of engagement for SBOMs. Fortunately, the energy PoC will be able to build on the 2+ years of experience of the healthcare PoC, but there’s still a lot to be worked out (plus we’re not on any obligation to slavishly follow what the healthcare folks have done. There are definitely differences between the industries, which might well require differing approaches to SBOMs).

The second PoC workshop will be next Wednesday from 12-1 ET (and that will be the time for our bi-weekly meetings going forward, based on the results of the Doodle poll that we sent out after the first workshop). The connection information is:

Date: May 19, 2021

Time: 12pm-1pm ET

Teams link: https://teams.microsoft.com/l/meetup-join/19%3ameeting_MDU1NGVlMGUtZmIwYi00OWUxLWIxZjItNjc5ZDY4ODJlMzI4%40thread.v2/0?context=%7b%22Tid%22%3a%22d6cff1bd-67dd-4ce8-945d-d07dc775672f%22%2c%22Oid%22%3a%22a62b8f72-7ed2-4d55-9358-cfe7b3e4f3ed%22%7d 
Dial-in: +1 202-886-0111,,114057520#  
Other Numbers: https://dialin.teams.microsoft.com/2e8e819f-8605-44d3-a7b9-d176414fe81a?id=114057520

There’s no sign-up for the workshop, but you should make sure you’re on the PoC mailing list. To join (or if you want to confirm you’re already on the list), send an email to sbomenergypoc@inl.gov.

Most of the meeting will be devoted to a discussion of the draft PoC charter that the two co-leaders (myself and Ginger Wright of INL) and Dr. Allan Friedman of NTIA have prepared. We very much want to have the final charter reflect what the group wants it to reflect, so we think it’s important to have this discussion.

3. RSA

Next week is the RSA Conference, which is virtual this year. There are four conference events that will address SBOMs.

The first of these is a presentation by two active participants in the NTIA Software Component Transparency Initiative. One of these is Sounil Yu, CISO of JupiterOne. The other is Josh Corman, a very well-known cybersecurity consultant and researcher (now with CISA) and the developer of the concept of software bill of materials (as well as the name). Their topic is “How CISA Is Charting a Path Toward Defensible Infrastructure”. Knowing both presenters, I can assure you there will be intelligent discussion of SBOMs, and their importance as a component of defensible infrastructure. Their presentation is from 12:45 to 1:25 PM Pacific Time next Tuesday.

The second event is what looks like a really interesting panel discussion entitled “Challenge Accepted: 3 Experts, 3 Big Ideas on Supply Chain Security”. It includes a stellar lineup: Dr. Allan Friedman, Director of Cybersecurity Initiatives of NTIA, Alyssa Feola, Cybersecurity Advisor to the GSA, and Matt Wyckhouse, founder and CEO of Finite State. This discussion will be from 1:30 to 2:10 PM PT on Tuesday (that is, five minutes after Sounil’s and Josh’s presentation ends. Fortunately, you don’t have to worry about running from building to building in the Moscone Center for this year’s RSAC!).

The third event is a panel discussion entitled “DBOM and SBOM: New Options For Better Supply Chain Cybersecurity”.  The panel is led by Mark Weatherford, former NERC CISO (and much more), and includes Jennifer Bisceglie, Founder and CEO of Interos, Chris Blask, Global Director, Industrial and IoT Security, Unisys, and somebody else….oh yes, me[i]. This discussion is from 2:40 to 3:20 PM PT next Thursday 5/20.

I believe that all three of the above sessions were pre-recorded (I know the third one was!), so instead of an interactive Q&A session at the end, there will be Q&A through the chat. You’ll be able to submit questions before or during the session, and the session presenters will be answering them during the session (since they don’t have to talk). I believe there might be a little time at the end for live answers, when the presenters will reply live to a few of the chat questions.

The fourth event occurs immediately after the third one. It’s called a “Live Deeper Dive”, and it consists of Q&A and “engagement” with the four participants in the panel I’m in. Of course, this was not pre-recorded, and it won’t be recorded for later playback. This runs from 3:25 to 3:50 PM PT (i.e. it starts five minutes after the third event ends. Note you need to register for both events).

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] You’ll note that my bio says that my book Supply Chain Cybersecurity for Critical Infrastructure is available now on Amazon. I wrote this in January, when I thought it was just about certain it would actually be available in May. However, I’ve learned to my great surprise that nothing in life is certain, and it’s in fact not available yet (although it’s certainly close to completion). I do expect to have it available in the summer.

No comments:

Post a Comment