Hi All,
NSA just published NSA CSI Recommendations for Software Bill of Materials (SBOM) Management (Jan 2024 Update)
The dramatic increase in cyber compromises over the past five years, specifically of software supply chains, prompted intense scrutiny of measures to strengthen the resilience of supply chains for software used throughout government and critical infrastructure. Several policies and working groups at multiple levels within the U.S. Government focus on this need to ensure the authenticity, integrity, and trustworthiness of software products. The office of the National Manager for National Security Systems (NSS), working in collaboration with other NSA organizations, researched and tested tools that manage Software Bills of Materials (SBOMs) as part of a Cybersecurity Supply Chain Risk Management (C-SCRM) strategy. This guidance includes important recommendations for SBOM management tool functionality derived from the research and evaluation of various SBOM management tools.
Fundamental to C-SCRM is leveraging a 'list of [software] ingredients' to understand and mitigate the cyber risks that software can pose to a user organization. SBOMs and SBOM management tools bridge this gap to support an improved cybersecurity posture. Specifically, users should leverage SBOMs, as part of a cybersecurity tool suite, to make:
Risk Management decisions about acquiring and deploying software,
Vulnerability Management decisions about software deployment and ongoing operations, and
Incident Management decisions to detect and respond to new software vulnerabilities during vital operations.
This guidance can enable NSS software application owners and users to determine an appropriate management toolset that leverages SBOMs to achieve these tasks.
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe
------------------------------