Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Energy Business
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
 · Posted in Energy Business

Software Consumer Guidance: How to implement SBOM for Executive Order 14028

Guidance for government agencies describing “how to” meet the requirements of Cybersecurity Executive Order (EO) 14028 is provided, largely by NIST. The “bible” for this guidance is found in NIST SP 800-161 R2, Appendix F (due for final release shortly). On February 4, 2022 NIST published guidance for software vendors to comply with EO 14028, which presents some early insight as to what guidance might be contained in the final version of NIST SP 800-161 for government agencies to follow.

Energy Central has been at the forefront of helping companies understand Software Bill of Materials (SBOM) and its critical role in software risk assessments for EO 14028, following the guidance provided in Appendix F of NIST 800-161 (final version due shortly from NIST). The following guidance is being provided to answer the question “What should a government agency do to satisfy EO 14028 requirements, per NIST SP 800-161, Appendix F”.

  1. Read the May 12, 2021 Cybersecurity Executive Order 14028, paying close attention to section 4 requirements
  2. Get a baseline understanding of SBOM.
  3. Learn how to perform a software supply chain risk assessment using SBOM from this Energy Central Powersession video.
  4. Follow Energy Central guidance for software consumers of SBOM
    1. Ask your vendor to provide an SBOM for a product and version which you intend to install
    2. Request the software vendor to provide an NTIA compliant SBOM format, SPDX or CycloneDX and file format, i.e. JSON, XML (CycloneDX) or Tag/Value (SPDX)
    3. Request the vendor use open-source, free to use solutions to provide access to all of the evidence data needed for a risk assessment, including a link to a SBOM vulnerability report that answers the question: “What is the vulnerability status of product P, version V from Supplier S at time(NOW) at the SBOM component level?” Think of this as a “CARFAX” report for a software product, listing all of the known defects and their status at any point in time.
  5. Identify solution providers and services to help with EO 14028 section 4 software supply chain risk assessment implementation, following the approach used by the Department of Health and Human Services, Centers for Medicare and Medicaid
  6. Carefully evaluate each vendor offering following NIST Guidance to ensure that all required attestations are provided by a vendor and prepare a pilot implementation with a cooperative software vendor that implements NTIA compliant SBOM’s and provides vulnerability reports with each SBOM. An open source vendor response file format may be used by a software vendor to communicate attestation materials to a software consumer. This will ensure that this NIST guidance is followed: "This is especially true for post-release practices such as vulnerability disclosure and response, where processes might not yet have been performed for the latest release." Get the SBOM VDR "CARFAX for SBOM" from each vendor
  7.  Read NIST SP 800-161 R2 Appendix F and use it as an EO 14028 compliance checklist for your pilot implementation.
  8. Perform the pilot project implementation, documenting the process throughout. Look for areas of improvement and refine the process until you are confident the that process is repeatably successful.  
  9. Follow the repeatable process on each software product that meets the critical software criteria released by NIST, used in your digital ecosystem.