Tuesday, October 19, 2021

How can SBOMs help with compliance?


Yesterday, Tobias Whitney of Fortress Information Security introduced to the NERC Supply Chain Working Group a white paper entitled “Enhancing Cybersecurity Best Practices with Software Bill of Materials (SBOM)”. This is a well-written paper that discusses how utilizing supplier-provided SBOMs for cyber risk management purposes can help an electric utility (or other power market participant, such as an IPP) in its many cybersecurity compliance obligations, both those imposed by NERC/FERC (i.e. the NERC CIP standards) and those that may be “imposed” by the utility itself, such as NIST 800-53, NIST 800-171 (CMMC), and the National Defense Authorization Act (NDAA).

Fortress doesn’t pretend that SBOMs are a requirement for compliance with any of these standards; in fact, none of these standards even mentions SBOMs. However, the paper identifies particular requirements in each standard whose purpose could be better fulfilled with SBOMs than otherwise. In other words, Fortress asks, for each of these requirements, “Can SBOMs help utilities address the best practice that is the goal of this requirement? If so, how?”

For example, for NERC CIP-007-6 R2 (which had never occurred to me to be one in which SBOMs might help), Fortress points out that having a recent SBOM from the supplier would help the utility “evaluate security patches for applicability”, as required by R2.2, as well as evaluate the security impact of applying the patch.

I recommend that you download and read this excellent paper.

Also, I recommend that you attend the bi-weekly SBOM Energy PoC meeting tomorrow (Wednesday, October 20) at noon ET. No sign-up is required, although if you’re not already on the PoC mailing list, I recommend you join it by sending a request to sbomenergyPOC@inl.gov. The URL for the meeting is here.

The topic of tomorrow’s meeting will be VEX, the “companion” document to SBOMs which now seems as important as SBOMs themselves. Dr. Allan Friedman of CISA, leader of the Software Component Transparency Initiative, will describe why VEX was developed in the first place, as well as how it works. There should be ample time for Q&A.

See you tomorrow!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment