The National Telecommunications and Information Administration is asking stakeholders to comment on how it intends to describe “minimum elements” of a software bill of materials, or SBOM, in line with a May 12 executive order issued in the wake of a series of sweeping cybersecurity incidents.
“Software is made and used by a wide range of organizations, but this diversity makes a single model for SBOM difficult,” reads a Federal Register notice set to publish Wednesday. “There is no one-size-fits-all approach to providing transparency for software assurance.”
In response to the SolarWinds hacking campaign, where adversaries were able to leverage their unauthorized access to the commonly-used IT management company to distribute malware to thousands of public and private organizations, the Biden administration issued Executive Order 14028. It will eventually require federal agencies to follow certain security guidelines when purchasing software. To inform those, NTIA was instructed to, within two months, “publish minimum elements of an SBOM.”
An SBOM is typically likened to the list of ingredients on food labels. Just like that might warn someone with an allergy to stay away, the idea is that visibility into software components will help tip off procurement officers against overly risky offerings.
But software supply chains run deep, and there are disagreements about how far down an SBOM needs to go in order to reap cybersecurity benefits.
“An ingredient list alone does not give you actionable information,” said Katie Moussouris, founder and CEO of Luta Security. Moussouris specializes in vulnerability disclosure and bug bounty programs, and designed the Hack the Pentagon program.
Testifying before the House Science Committee Tuesday on the recent hacking campaigns, she added, “While new requirements like SBOMs may make supply chain vulnerabilities faster to respond to in theory, producing or consuming an SBOM would have had no effect in stopping or detecting either the SolarWinds or the Codecov supply chain attacks.”
Among other things, the NTIA is proposing minimum elements of an SBOM include the following data fields for “baseline component information”: supplier name, component name, version of the component, [cryptographic] hash of the component, any other unique identifier, dependency relationship, and author of the SBOM data.
The agency noted ways elements it identified in the notice might be adjusted to include additional information for applying SBOMs in the service of cybersecurity, including the ability to connect software components to known vulnerabilities.
But even if the NTIA were to include this information in its description of a bare-minimum SBOM, it takes humans to make risk-based decisions about the danger such vulnerabilities pose within particular products or systems, Moussouris said, and there are not enough of those to go around in cybersecurity.
“An SBOM requiring too little information at a minimum would force additional skilled security analysis in order to determine risk,” reads her written testimony. “With limited cybersecurity workers, performing this data enrichment step could displace vital security work that might have a greater [return on Investment] towards the desired secure supply chain outcomes.”
Moussouris’ testimony also asserted that a multistakeholder group NTIA has been hosting since 2018 to deliberate over a standard SBOM is predominantly composed of “industry participants with huge existing investments in internal specialized security teams—the security and incident responder 1%.”
“We have no broad field data on how less mature organizations will fare in this new requirement versus investing in other fundamental security efforts,” she wrote.
The NTIA’s request for public comment is open for 15 days from the notice being issued.