Dr. Allan Friedman, who has been running the Software Component Transparency (SBOM) Initiative of the National Technology and Information Administration (NTIA) of the US Department of Commerce since its inception in 2018, announced recently that, as of later in August, he will move from NTIA to CISA (the Cybersecurity and Infrastructure Security Agency) in DHS.
When Allan announced this (and I’m
sure he’s done it at least ten times in different meetings of the Initiative –
including our Energy Proof of Concept meeting on Wednesday of this week), he has
always immediately followed that by saying that he will still be completely
involved in the work of the Initiative. But the Initiative will change, simply
because CISA is a very different organization from NTIA.
Of course, it’s too early to know
how it will change. Allan has promised (I believe him, too) that the whole
group involved in the Initiative (there must be at least 200 people who attend
at least one of the meetings in any given month, including from Europe and
Japan) will meet with him in September to decide the way forward. This isn’t to
say it will be a democratic process, but at least people will have their input.
Alan has pointed out many times
over the past two weeks that the Initiative started from just about zero in
2018, and now has built up a substantial body of experience, knowledge and
especially written guidance about SBOMs. This couldn’t have happened without
the NTIA’s approach to launching a new technology (as they did with DNS in the
1980’s and 1990’s, and as they’re now doing with 5G).
To launch a new technology, NTIA
doesn’t gather a bunch of wise people in a room (virtual or otherwise), who scratch
their chins, offer profound thoughts, develop a very thoroughly-researched
document describing in great detail all of the ins-and-outs and do’s-and-don’ts
of the new technology, then go home and congratulate themselves on a job well
done - whether or not anybody’s even looking at what they’ve written.
Rather, the NTIA gets the actual
stakeholders together to figure out what’s needed for the new technology to
succeed, and what’s the best way to get there; there are no preconditions, and
all meetings and documents are completely public. In the case of SBOMs, a key
tool is the industry-focused Proofs of Concept, of which there are currently
three (healthcare, autos and energy). It’s possible the three PoCs will remain
under NTIA’s auspices, simply because they’re working well and there’s no
reason to mess with a good thing (the energy PoC is especially fortunate, since
Idaho National Labs is providing support in many ways, including the web site and Ginger Wright, my very able
co-leader in the effort). Of course, Allan will be able to participate in the
meetings, no matter what agency they’re “under”.
So if everything was going so
well, why is Allan making this switch? I believe (without having discussed it
with him yet) that he looked at the number of cybersecurity professionals
inside NTIA – a small number, certainly – vs. the number inside CISA (CISA had
about 3400 employees last year, and I’m sure that number has already jumped a
lot, especially as they keep getting more jobs added to their portfolio). And
he saw that both he and the SBOM “movement” (cult?) can expand in all sorts of
ways if they’re part of CISA, that they couldn’t even dream of under NTIA.
There are some really huge possibilities, and Allan has just begun to explore
them.
Good luck in the new gig, Allan! A
new world is opening up for you and for SBOMs.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
Thanks for your great share.
ReplyDelete