The Regulatory Landscape Makes SBOMs a Must Have
Regulatory demands now make an SBOM an essential in any organization. The Biden Administration released a memo in September 2022 that directs federal agencies to adopt guidelines from the National Institute of Standards and Technology (NIST) for securing software used by the federal government and attest to its security.
The memo is directed to the heads of executive departments and agencies and follows up on the administration’s May 2021 executive order for improving the nation’s cybersecurity. The order laid out new guidelines for securing software and empowers the Office of Management and Budget (OMB) to require agencies to comply with those guidelines.
The requirements apply to agencies’ use of software developed after the effective date of the memorandum, as well as agencies’ use of existing software that’s modified by major version changes after the effective date of the memorandum.
Agencies are required to obtain a self-attestation from all third-party software producers before using the software. A software producer’s self-attestation serves as a “conformance statement” described by the NIST Guidance, the memo said.
An acceptable self-attestation must include the software producer’s name; a description of which product or products the statement refers to; and a statement attesting that the software producer follows secure development practices and tasks that are itemized in the standard self-attestation form.
A software bill of materials (SBOM) may be required by the agency in solicitation requirements, based on the criticality of the software or as determined by the agency. If required, the agency needs to retain the SBOM, unless the software producer posts it publicly and provides a link to that posting to the agency.
The Biden Administration’s full memorandum is here; SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report “The Minimum Elements for a Software Bill of Materials (SBOM)” or successor guidance as published by the Cybersecurity and Infrastructure Security Agency (CISA).
SBOMs Are The Preferred Method for Software Visibility
While the memo does not make SBOMs mandatory for all agencies, it’s clear that they are the preferred method for showing conformance with the NIST secure software development practices, hence the push regulatory SBOM adoption.
Aside from the latest federal security directives and suggestions, SBOMs—and more specifically Dynamic SBOMs—should be a key component of any organization’s software security protocol. Why dynamic? Because the world of software is constantly changing. New features, code, vulnerabilities and patches are constantly appearing.
Static SBOMs that are difficult to update can’t be effective in light of this constant change. A Dynamic SBOM enables organizations to build a live inventory of all their software components, at any point in the software development lifecycle; search for vulnerable components across billions of files; use runtime analysis to know if detected bugs are exploitable in their environments; export and share their SBOMs in standard formats; and continuously monitor and update their SBOMs in real-time to include changes as they are introduced.
The latest government action related to software security gives all types of organizations—not just agencies—a reminder of the need for better software vulnerability management. SBOMs should be a key part of the effort.
How Rezilion Helps You With Your SBOM Efforts
Rezilion’s Dynamic SBOM gives you the visibility required in today’s regulatory landscape and reduces time to patch. Learn more about Rezilion’s Dynamic SBOM at https://www.rezilion.com/platform/dynamic-sbom/
