In the SBOM Forum meeting last Friday,
we had a lively discussion – nay, argument – on a question that frankly
surprised me: Will it take regulation to make SBOMs widely distributed and
widely used by private and government al organizations whose main business isn’t
software?
It’s quite
clear that SBOMs are being widely used by software developers for
their own product security purposes. However, it’s also clear that SBOMs are
not being widely – or even narrowly – distributed to non-developers[i]. And, while there are
certainly a lot of suppliers who don’t want to distribute SBOMs, there are also
a lot of users who would like to utilize the information that SBOMs provide,
but have no idea how they will be able to get that information from an SBOM when
they receive it. This is because there aren’t any low-cost, commercially
supported tools (or really any tools at all) that ingest both SBOMs and VEX
information and output lists of exploitable component vulnerabilities in a
particular product and version.
In the meeting on Friday, a number
of well-known, very experienced people in the SBOM space were telling me that
SBOMs won’t really be distributed until suppliers are forced to do that by
regulations. However, those people say that regulations are right around the
corner, so SBOMs are also surely right around the corner.
I frankly don’t know what these
people are talking about. I’m optimistic that within two years there will be substantial
distribution and use of SBOMs. However, it won’t be due to regulation. It will
be due to – dare I say it? – the operation of the free market. Simply put, it
will be due to organizations that use SBOMs deciding that a) they want to have
the information that can be gained from SBOMs, and b) the tools and/or services
needed to obtain that information are readily available to them (which they
aren’t now).
Here is why regulations aren’t
coming (or at least not in anywhere near the volume or strength required to
make a difference), and also why they wouldn’t be needed, even if they were
coming:
1.
I, like everyone else involved with SBOMs,
thought Executive Order 14028 would be a game changer; it certainly did change
the game in terms of awareness of SBOMs. But the date for compliance with
Section 4(e) of the EO (which includes the SBOM provisions) was set by OMB for August
10, 2022. On that date, government agencies were supposed to start requiring
SBOMs from their suppliers. I haven’t heard of any flood of SBOMs after that
date, have you?
2.
After that date passed, expectation grew for
OMB’s EO implementation memo in September. But that memo, when it appeared, required
every agency to…decide for themselves what if anything to do about SBOMs. Not
exactly a game-changer, IMHO.
3.
The memo does require an attestation from the
supplier about their software development practices (including SBOMs), but if
the supplier attests that they will produce an SBOM and don’t do it, or if they
just attest that they won’t produce one at all, there’s no mechanism for an
agency to force the supplier to do this. And if an agency were to even consider
terminating a relationship with a supplier due to failure to produce an SBOM, the
supplier will simply say, “Please show me where in our current contract it says
we’re required to produce SBOMs.”
4.
Indeed, the EO did call for changes in the
Federal Acquisition Regulation (FAR), which would be required in order to
change new contracts. I haven’t heard anything about any changes in FAR being implemented
(and I don’t know whether they require Congressional approval if so). And even
when the FAR is changed, remember that would only apply to new acquisitions,
not to any current contracts. Of course, federal contracts with suppliers are
usually multiyear, meaning it will be years before any changes will be
implemented due to the EO.
5.
So – and I should have realized this initially –
there’s simply no way that the EO is going to make any real difference in
SBOMs, unless federal agencies decide they really need SBOMs (or at
least data from them) and do more than just ask meekly for an SBOM – then move
to the next topic when the supplier says no. In other words, it will be demand
from consumers – the agencies – that will drive federal use of SBOM data. The
EO certainly will have played a big role in inspiring that demand, but it won’t
be the reason that SBOMs are being distributed and used.
6.
If not from the EO, where is federal regulation going
to come from, which will force suppliers to provide SBOMs to their users? Of course,
there’s the FDA, which was empowered by Congress in December to require medical
device manufacturers to meet cybersecurity requirements – including one for
SBOMs – in order to be approved to market their devices in the US. In the SBOM
Forum meeting, several people pointed to this as a reason why there would soon
be a lot of regulations – i.e., other agencies would rush to jump on the FDA’s
bandwagon.
7.
But this development isn’t new news. In 2017,
the FDA put out a memo saying they intended to require SBOMs (and other cybersecurity
measures, to be sure) in the future, without giving a date. The December
Omnibus bill finally gave them the authorization to do that. But if other
agencies were going to jump on that bandwagon, they would have done it years
ago.
8.
However, what other government agency could
jump on this bandwagon? It would have to be one that currently has the power to
regulate suppliers, for anything other than product safety. The Nuclear
Regulatory Commission (or one of the other nuclear power agencies – there are a
few) is one. The military and intelligence agencies are certainly another. Is
there any other? Not that I know of. In other words, currently there’s no
authority for any government agency to require anything besides product safety
of the suppliers of any industry outside of nuclear power or the military/three-letter
agencies. Where are all these requirements for SBOMs going to come from?
9.
A supplier to critical infrastructure brought up
that sector (or sectors) as a likely subject of mandatory SBOM requirements
soon. But what agency is going to promulgate those requirements? Remember, the
agency would need to have responsibility for the suppliers to an industry, not
just the members of the industry itself. A good illustration is the NERC
CIP-013 supply chain cybersecurity standard, which came into effect in 2021 and
is the only supply chain security standard that I know of outside of the FDA, military
and nuclear power. But CIP-013 doesn’t regulate power industry suppliers, since
FERC (which provides the enforcement power behind NERC standards) has no authority
at all over suppliers. The utilities are supposed to develop supply
chain cyber risk management plans, a big component of which is managing vendor
risk, and they can face penalties if they develop a slapdash plan, or if they
don’t follow the plan they developed.
10.
Sure, the power industry suppliers have felt a
lot of pressure from their utility customers due to CIP-013, and are getting
their collective cybersecurity acts together; but they don’t face any direct
penalties if they refuse to cooperate at all, unless the utilities take
action against them like dropping them as suppliers. As with the EO, CIP-013
will only be effective if the regulated entities (government agencies in the
case of the EO, and electric utilities in the case of CIP-013) demand security
measures of the suppliers (of course, CIP-013 doesn’t say anything directly
about SBOMs, but a utility can certainly require them if they think they’re
important. To be honest, I doubt too many are doing that now, although the
Edison Electric Institute did put out model contract language recently that
includes a modest SBOM provision).
11.
Bottom line: If there’s going to be regulation
of suppliers in the US – other than safety regulations – it will have to be
from some new agency still to be created by Congress. I haven’t heard the
slightest peep about that happening, have you?
However, I am quite optimistic that
SBOMs will be widely used (or more importantly, that the data to be derived
from SBOMs and VEX information will be widely used) within the next two years -
although “widely” is relative. The total “market” for SBOMs is every
organization, public or private, on the planet. Ultimately, that’s what “widely”
will mean, but I won’t even guess on when that will come into existence.
Fortunately, there’s lots of growth opportunity long before that outcome is
realized.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
The one exception being the German auto industry, whose device suppliers (the
average German car now has about 50 computing devices in it) are distributing
SBOMs in large quantities to the car manufacturers (known as OEMs in industry
parlance). But the primary use case is license management for open source
components, not software or firmware security.
No comments:
Post a Comment