Next week might as well be called
SBOM Week (or maybe “Take your SBOM to work week”), because of all the events
that are taking place – four of which you can attend or participate in! Here
they are:
1. Joe Biden kicks the week off
It is widely rumored (and was even
mentioned in a webinar that I attended last week) that the new Executive
Order for software security (although it might not have exactly that title)
will be released next week, with Monday the most likely day for it to happen.
It’s further rumored – in fact it’s just about certain – that SBOMs will play a
prominent role in the EO. Because the order will focus on measures to improve software
security of federal agencies, it’s likely the EO will encourage federal
agencies to require that software suppliers provide SBOMs with their products. Of
course, if suppliers start producing SBOMs for the Feds, they’ll produce them
for all of their customers.
However, what I’m hoping the EO
doesn’t do is require suppliers to the Feds to start providing SBOMs anytime
within say the next 24 months. There are still far too many questions that need
to be worked out about how SBOMs will be produced, distributed and used – and most
importantly there’s a lack of appropriate software tools that would allow most organizations
to easily utilize SBOMs for such purposes as vulnerability management. In this
post, I said that it would be best if the EO just said that a rulemaking
would begin in say two years. This will give industry (and by the way, the EO will
apply to all federal agencies, not just those having to do with the energy
industry) time to come to at least rough agreement on the rules of the SBMOM
game (see the next item below).
On the other hand, by saying that some
sort of mandatory requirement for SBOMs will come at some time in the future, that
alone will provide a big wakeup call that SBOMs need to be taken seriously by a)
any organization that produces software (for its own use, or use by other
organizations), and b) any organization that uses software. Which pretty well
covers every organization on the planet - although obviously it’s the larger
ones who will derive the most benefit from having SBOMs available.
Another very likely component (no
pun intended) of the EO is that it will identify the National Technology and Information
Administration (NTIA)
of the US Department of Commerce as the lead organization for working out the “rules
of the road” for SBOMs. This won’t be any surprise if it happens, since I know
of literally no other venue worldwide where rules and procedures for SBOMs are even
being discussed (and many people from Europe and Japan regularly participate in
the NTIA meetings.
Note from Tom 7:18 PM CT on Wednesday: I should have said the EO will be out "by Monday", not "on Monday". I just received it from Mark Weatherford and I'm going through it now. I'll have a post out tomorrow. It definitely has SBOMs in it and it definitely seems to require them for software sold to the government. When? As of the effective date. Nothing about waiting a year or two. Oh well...
And that leads to the next event in
SBOM Week:
2. SBOM Energy Proof of Concept
workshop
As I’ve mentioned many times (including
in this post
from last November), the NTIA’s “laboratories” for developing agreement on
rules of the road for SBOMs are Proofs of Concept. The first of these – which is
still ongoing, although in a further iteration – was for the healthcare
industry (it started in 2018). Now an energy PoC is starting, as well as an
Autos PoC (where the big automobile manufacturers are the “consumers” of various
electronic components that go in cars, and of course the component
manufacturers are the producers. I’m looking forward to the day when I’ll be
able to choose a car not just based on whether it has a sunroof, but on how
many unpatched software vulnerabilities are found in it).
The energy PoC is starting with a
series of workshops – that are open to everybody, as long as you’re a user of
electricity. These will discuss what is already accomplished as far as SBOM
rules of the road are concerned, as well as what remains to be accomplished.
These will not mainly be presentations, but will be quite interactive,
including discussions and demonstrations of tools, etc. They’ll be recorded,
with the links posted on the PoC’s in-progress website, hosted by those good
folks at Idaho National Laboratories (DoE is a co-sponsor of the PoC, along
with NTIA).
But note that the goal of the PoC
isn’t just education but collaboration – in which software suppliers and users
jointly work out the rules of engagement for SBOMs. Fortunately, the energy PoC
will be able to build on the 2+ years of experience of the healthcare PoC, but
there’s still a lot to be worked out (plus we’re not on any obligation to slavishly
follow what the healthcare folks have done. There are definitely differences
between the industries, which might well require differing approaches to SBOMs).
The second PoC workshop will be
next Wednesday from 12-1 ET (and that will be the time for our bi-weekly meetings
going forward, based on the results of the Doodle poll that we sent out after
the first workshop). The connection information is:
Date: May 19, 2021
Time: 12pm-1pm ET
Teams link: https://teams.microsoft.com/l/meetup-join/19%3ameeting_MDU1NGVlMGUtZmIwYi00OWUxLWIxZjItNjc5ZDY4ODJlMzI4%40thread.v2/0?context=%7b%22Tid%22%3a%22d6cff1bd-67dd-4ce8-945d-d07dc775672f%22%2c%22Oid%22%3a%22a62b8f72-7ed2-4d55-9358-cfe7b3e4f3ed%22%7d
Dial-in: +1 202-886-0111,,114057520#
Other Numbers:
https://dialin.teams.microsoft.com/2e8e819f-8605-44d3-a7b9-d176414fe81a?id=114057520
There’s no sign-up for the workshop,
but you should make sure you’re on the PoC mailing list. To join (or if you
want to confirm you’re already on the list), send an email to sbomenergypoc@inl.gov.
Most of the meeting will be
devoted to a discussion of the draft PoC charter that the two co-leaders (myself
and Ginger Wright of INL) and Dr. Allan Friedman of NTIA have prepared. We very
much want to have the final charter reflect what the group wants it to reflect,
so we think it’s important to have this discussion.
3. RSA
Next week is the RSA Conference, which
is virtual this year. There are four conference events that will address SBOMs.
The first of these is a
presentation by two active participants in the NTIA Software Component Transparency
Initiative. One of these is Sounil Yu, CISO of
JupiterOne. The other is Josh Corman, a
very well-known cybersecurity consultant and researcher (now with CISA) and the
developer of the concept of software bill of materials (as well as the name).
Their topic is “How
CISA Is Charting a Path Toward Defensible Infrastructure”. Knowing both presenters,
I can assure you there will be intelligent discussion of SBOMs, and their
importance as a component of defensible infrastructure. Their presentation is
from 12:45 to 1:25 PM Pacific Time next Tuesday.
The second event is what looks
like a really interesting panel discussion entitled “Challenge
Accepted: 3 Experts, 3 Big Ideas on Supply Chain Security”. It includes a stellar
lineup: Dr. Allan Friedman, Director of Cybersecurity Initiatives of NTIA, Alyssa
Feola, Cybersecurity Advisor to the GSA, and Matt Wyckhouse, founder and CEO of
Finite State. This discussion will be from 1:30 to 2:10 PM PT on Tuesday (that
is, five minutes after Sounil’s and Josh’s presentation ends. Fortunately, you
don’t have to worry about running from building to building in the Moscone
Center for this year’s RSAC!).
The third event is a panel
discussion entitled “DBOM
and SBOM: New Options For Better Supply Chain Cybersecurity”. The panel is led by Mark Weatherford,
former NERC CISO (and much more), and includes Jennifer Bisceglie,
Founder and CEO of Interos, Chris Blask, Global
Director, Industrial and IoT Security, Unisys, and somebody else….oh yes, me[i]. This discussion is from 2:40
to 3:20 PM PT next Thursday 5/20.
I believe that all three of the
above sessions were pre-recorded (I know the third one was!), so instead of an
interactive Q&A session at the end, there will be Q&A through the chat.
You’ll be able to submit questions before or during the session, and the
session presenters will be answering them during the session (since they don’t
have to talk). I believe there might be a little time at the end for live
answers, when the presenters will reply live to a few of the chat questions.
The fourth event occurs immediately
after the third one. It’s called a “Live
Deeper Dive”, and it consists of Q&A and “engagement” with the four
participants in the panel I’m in. Of course, this was not pre-recorded,
and it won’t be recorded for later playback. This runs from 3:25 to 3:50 PM PT
(i.e. it starts five minutes after the third event ends. Note you need to
register for both events).
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] You’ll
note that my bio says that my book Supply Chain Cybersecurity for Critical
Infrastructure is available now on Amazon. I wrote this in January, when I
thought it was just about certain it would actually be available in May.
However, I’ve learned to my great surprise that nothing in life is certain, and
it’s in fact not available yet (although it’s certainly close to completion). I
do expect to have it available in the summer.
No comments:
Post a Comment