The National Security Agency has published new guidance to help organizations incorporate software bills of materials and mitigate supply chain risks.
In May 2021, the White House issued a cybersecurity executive order, mandating the use of SBOMs for transparency and cyber risk mitigation, as they would provide a complete picture of software components, including open source software, and their relationships.
The NSA guidance follows previous recommendations that the US government has provided on SBOMs and is meant to help organizations improve SBOM management by following three steps: cyber risk analysis, vulnerability analysis, and incident response.
The agency recommends that software suppliers mature their SBOM exchange practices, that both private and government organizations expand their SBOM research to help standardize solutions, and that software developers take ownership of customer security outcomes.
The NSA says, should leverage available government resources to ensure they acquire secure software.
National Security System owners are advised to develop and require software component information containing details on each software component, identification of all software dependencies, a container manifest for software with container components, digital signatures or authentication for component validation, SBOMs generated using source code for NSS-related software specifically developed under contract, the completeness of SBOMs for all software, limited rights to reverse-engineer software for validation purposes, and contract metrics for tracking and assessment.
NSA's guidance also recommends a series of best practices for NSS owners and shares details on the functionality that organizations should look for when considering SBOM management tools.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 18 Dec 2023 14:43:07 +0000