Exiger Regulatory Roundup, Episode 11: Deep Dive on SBOM

Mary Kopczynski, CEO of RegAlytics, breaks down this week’s hot regulatory topics, exclusively for Exiger.

Exiger Update – Deep Dive

Last week we did our first-ever deep dive into Executive Order 14028 on Improving the Nation’s Cybersecurity. We talked about how the order made it incredibly clear that, after the Solar Winds cyberattack, that quote “incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”

Proposed Rule: Software Bill of Materials (SBOM)

So the bold change we’re talking about today is SBOM, or the software bill of materials.

It’s still a proposed rule to require SBOMs as part of government procurement processes, so that’s a good thing because it means you not only have time to get a handle on it, but you have time to shape it!  (Normally people don’t hear about this stuff until the deadline is long since passed, but that’s the beauty of Exiger choosing to stay on top of the global supply chain of regulatory alerts. It allows us the ability to be proactive about managing our supply chain risk.)

Comments Due: December 4, 2023

The deadline for comments is December 4, and you will see below the link to the rule, the link to the proposed Minimum Elements For a Software Bill of Materials, and the link where you can comment.

So what is the rule? The rule proposes a new requirement for government contractors to develop and maintain a software bill of materials (SBOM). The official definition is this: a Software bill of materials (SBOM) means a formal record containing the details and supply chain relationships of various components used in building software.

Machine-Readable, Industry-Standard Format

Each SBOM shall be produced in a machine-readable, industry-standard format and shall comply with all of the minimum elements identified. The required elements are created by the Department of Commerce, and the rule itself gives a link to a 28-page document that was produced by Commerce and the National Telecommunications and Information Administration (NTIA).

And this point: Don’t worry about which regulator is implementing this requirement, because it’s basically all of them. Just trust me on that.

7 Proposed Data Fields

So the 28-page document seems daunting, but, honestly, it’s 7 data fields, some of which are easy, some are not easy. So, easy: the Supplier Name of the Software, for example, Microsoft.  The Component Name, like Microsoft Excel.  Then the Version of the Component, Version 2309.  That can get a little tricky.  Then we get to the hard stuff: The Dependency Relationship.  That’s where you characterize the relationship that an upstream component X is included in software Y. 

The last two fields are easy. Author — the name of the entity that created the SBOM for this component and the Timestamp, which is the record of the date and time of the SBOM data assembly.

Provide SBOMs Upon Request

And what is all of this for? Because upon request, you will provide the SBOM to the government agency you are contracting with. And also — if CISA reaches out and either informs you of a threat or asks if you’re using something, you’ll be able to react quickly.

I’m pretty sure I can snap my fingers and at least 20 start-ups have been created to solve this problem for you. But wouldn’t it be easier if you stored this in the same place where you store all your supply chain information?

All that said, you have time. Eyeball the links in this blog and send a comment to the regulators. They do want your feedback — see details below.

Feedback Requested

How should SBOMs be collected? What protections are necessary for the info in there? What kind of challenges will you have making these SBOMs? What challenges are unique to software resellers? What challenges exist regarding legacy software? What should the rules of updating these be? With a new build or major release?

Other Obligations

And just so you know, there are other parts of the rule having to do with the role of certain agencies.  One, CISA will be allowed to request your help with threat hunting and incident response. Two, CISA, the FBI, the DOJ and the actual contracting agency will have full access to contractor information and information systems in the event of a security incident defined by the government. Three — for those of you who are operating globally and may have some other countries’ rule stopping you from sharing information with the U.S. government — this proposed rule is asking for your thoughts on this and examples of how that might play out. The last major section is about reporting times. Some regulators want to know in 72 hours. Some want to know in 8 hours. Some just say “promptly” and don’t give a time. What are your thoughts on this?

Estimated $8.8 Trillion Implementation

As a part of any rule, the agencies have to outline the expected costs of a new rule. This one is steep.  The agencies are estimating it will cost the U.S. government $225 million over the next 10 years to administer all of this, but a whopping $8.6 trillion for the public sector to comply.

And that’s it this week for Exiger’s Regulatory update. Join me every week no matter where I am for your dose of regulatory news.

Learn more about cyber solutions from Exiger to power your cyber supply chain risk management (C-SCRM) program.

SBOM Resources:

• Read the Rule and Submit Comments
• Minimum Elements for an SBOM
• Harnessing the Power of SBOM with Supply Chain Visibility
• Webinar: Building a Trusted Software Supply Chain: C-SCRM/SBOM in Government Procurement
• Other helpful materials