Honorable members of Congress, I know your job can be difficult trying to balance the varied opinions from biased parties trying to influence you when deciding how and what to vote on in the many bills that cross your paths. This article is also a biased plea from a cybersecurity professional requesting that you keep the SBOM provision in upcoming legislation and support the government agencies, i.e., CISA and NIST that are trying so hard to keep the critical infrastructure that your districts and States depend on, safe from hacker attacks.
Cybersecurity professionals have an extremely stressful and difficult job. They never know where the next cyber attack will come from or when it will occur. Constant vigilance is required and they must be prepared to respond immediately. Cybersecurity professionals are the first responders when cyber attacks occur, and they need access to the tools that enable them to do their jobs, effectively, to keep critical infrastructure operating and the people who depend on it safe from harm.
Software is the hackers preferred weapon of choice in cyber-attacks. Software serves a vital role in helping to keep your districts critical infrastructure operating smoothly. Cybersecurity practitioners maintain a high level of vigilance monitoring for suspicious activities that could be indicators of a cyber-attack on this critical infrastructure software. An SBOM is a vitally important tool to help these cybersecurity practitioners monitor for risk and vulnerabilities in the software used to operate critical infrastructure. An SBOM enables cybersecurity personnel to implement monitoring tools and methods that are designed to proactively warn of new vulnerabilities and risks in installed software whenever a new software vulnerability is reported. This proactive warning of new software vulnerabilities enables these practitioners to take mitigating actions to shrink the “window of susceptibility” that hackers use to their advantage today.
Some within the software industry want you to believe that SBOM is premature, not scalable or not ready for consumers to use. This is misinformation that should not be believed. The SBOM community of software developers and tooling vendors have been hard at work for over 4 years working on standards for SBOM and tools to implement those standards, specifically SPDX and CycloneDX, which are supported by NIST, the NTIA and CISA. Some large software vendors, i.e., Microsoft have committed to producing SBOM’s and are supporting the SBOM developer and consumer communities with open-source SBOM generation and consumption tools. Open-source tools are available to help software vendors meet OMB M-22-18 requirements for attestations including SBOM’s and Vulnerability Disclosure Reports, as recommended by NIST to meet Executive Order 14028 objectives. Scalable SBOM delivery is also easily achieved using the same tools and techniques that software vendors use today to distribute their software products. An SBOM is just one more text file that a software vendor can provide to customers, just like many software end user license files are being provided today. Open-source tools, such as the free to use Vendor Response File (VRF) format makes it easy for a software vendor to distribute their attestation materials, such as an SBOM, to consumers. A VRF is like a table of contents for a vendors product catalog that enables consumers to automatically download and store product attestations provided by a vendor, including SBOM’s and Vulnerability Disclosure Reports and other materials, such as NIST’s Secure Software Development Framework self-attestation form, required under OMB M-22-18.
The next time someone tries to convince you that SBOM is not ready, please remember that your cybersecurity professionals that are working so hard to keep the lights on and the water flowing in your district need an SBOM to proactively monitor for software vulnerabilities that could adversely impact your district and the citizens that depend on this critical infrastructure.
Please don’t hamstring your own cybersecurity professionals from doing their job. Show support for your own cybersecurity personnel by giving them the tools they need to do their jobs. Hold software vendors accountable and demand that they deliver SBOM’s for their products. Your cybersecurity staff and your constituents will thank for you doing your part to keep the lights on and the hackers at bay.
Advice to help software vendors prepare to meet OMB M-22-18 requirements is available online.