Software bills of material (SBOMs) are getting a lot of attention as tools to help federal agencies improve their supply chain risk management. Although there’s some disagreement over when agencies will actually start benefiting from them, many agencies are currently laying the foundation to start using SBOMs. For example, the State Department is currently forming a working group to develop guidance and procedures on how to capture and store them.
“We’re not there yet,” said Zetra Batiste, enterprise chief information security officer for cybersecurity supply chain risk management (C-SCRM) at the State Department’s Bureau of Information Resource Management said on Federal Monthly Insights – Supply Chain Risk Management. “However, we do realize the need for ongoing collaboration with industry and government stakeholders to ensure that we’re harmonizing that federal effort on automating and building a repository of SBOMs for reciprocity.”
Often described as an ingredient list for software, SBOMs create transparency by detailing the various components in a piece of software, and the various dependencies between those components.
Batiste said there are currently a number of challenges inherent in the use of SBOMs that need to be solved. For one thing, they need to be automatically generated and machine readable. Developing the processes and formats for that isn’t easy. Add on top of that a general lack of training and knowledge of how SBOMs work, since they’re a fairly new concept.
And when they are used, a software development team has to stop what it’s doing every time an SBOM reveals a vulnerability, and mitigate that. That takes time. And sometimes those vulnerabilities turn out to be false positives. That’s why Batiste said the C-SCRM team is currently working on a solution to ingest SBOMs.
Until that happens, agencies have to work with self-attestations. Batiste said State is also looking into options for third-party tools to verify the accuracy of those self-attestations, but that will take time as well.
“Without a tool, it’s hard to really verify beyond the self attestation,” she said on the Federal Drive with Tom Temin. “But I think it starts with forming that relationship with the developer, so that you understand, you’re forming that bond, that relationship, so that you understand his third party vendors, etc. And you use processes too, such as assessments to validate where required, where you can.”
In the meantime, Batiste said State is pursuing continuously monitoring software for any vulnerabilities. Her team created an assessment process for risk, including examining a vendor’s foreign relationships and potential threats to infrastructure that software might pose. From there, they make a decision about whether to try to mitigate that risk, or simply avoid using that software altogether.
Another thing State is focusing on is collaborating with the Cybersecurity and Infrastructure Security Agency and cybersecurity working groups to promote information sharing about threats and vulnerabilities. Those groups are also working together on surmounting the barriers to SBOM adoption.
“Vulnerability that hits one eventually touches us all,” Batiste said. “So the more we learn, the better we’re able to collectively protect our infrastructure.”