Interview transcript:
Terry Gerton: The acting Pentagon CIO Katie Arrington recently signed a new faster cyber rule for contractors, and one of the requirements is to produce a software bill of materials, or an SBOM. Can you start by telling us what that actually is?
Tom Pace: An SBOM is a software bill of materials. The best way to kind of think about this is a list of ingredients that make up a given piece of software. The other thing that’s interesting here is software can mean a number of different things. That could mean a Windows application, it could mean a container, a firmware image, a Linux application, a mobile app, all these different things are our software. And so, what a software build materials provides you is the list of all the components and pieces and parts that make up that parent piece of software, no matter what it is. And so this will give you visibility into the first party code elements, as well as the third party or open source code elements as well. So this list of ingredients essentially allows organizations to have visibility into all the different pieces and parts that make up their software supply chain.
Terry Gerton: And how does government currently use the SBOMs?
Tom Pace: Currently, I mean, the government has a few different ways that they’re mandatorily using SBOMs, but if you look at like the FDA, they require SBOMs for any new medical device that goes through that process. Elsewhere, you have things like software attestation forms that are being submitted, but SBOMs are not mandatory as part of that process currently. But, where they are generating them, they use them to do things like identify outdated software components, find vulnerabilities that are previously not reported, find especially high risky components that they might have intelligence about related to some other incident or threat actor that maybe they only have visibility into given the nature of the data that they might possess… So there’s a multitude of use cases that can be utilized here and that are being utilized by the federal government.
Terry Gerton: One of the new requirements of this rule is that these SBOMs be certified by an independent third party. Who are those third parties and how are they going to get these things certified?
Tom Pace: I don’t think anybody knows the answer to either one of those questions. There is no such thing currently that I’m aware of as some independent SBOM 3PAO. Nor is there a certification standard. You have standards that exist in terms of what should, like minimum elements should make up an SBOM and should they adhere to a particular format. One of those is called Cyclone DX, which is managed by OWASP. And then another one is called SPDX, which has managed by the Linux Foundation. So both of those are neutral, very well respected third parties in cybersecurity, but there’s no crystal-clear standard for what should be in there how it should be stored that can be assessed against necessarily. You can say, it meets this format, essentially, but that’s not going to necessarily guarantee you perfect accuracy or perfect completeness. And here’s, I guess, the good news: what else is new? Like what else is there? SBOMs are this very odd thing in cybersecurity, where if they’re not perfect, then we just throw them away. Why even bother? Meanwhile, there’s nothing perfect in cybersecurity. Antivirus isn’t perfect, firewalls aren’t perfect, intrusion detection systems aren’t perfect. If everything was so perfect, there’d just be no breaches, right? There’d be no ransomware. There’d be no anything. But somehow, [SBOMs] are not perfect. And yet it’s like this very strange thing that happens with SBOMs where people are like, “well, how do we know it’s perfectly accurate? How do we it’s perfect complete?” how do you know that about anything? That’s a bit of my SBOM quality tangent. I think a lot of people are supportive of SBOMs and having them for these reasons. I think one of the more challenging aspects of this though will be the third party certification process. Unless if it starts intelligently where there’s like a relatively low bar at first, and then maybe over time it like ratchets down, that could make sense. But to come up with like something super mature right out of the gate. I think is probably going to be difficult.
Terry Gerton: If these new rules are supposed to speed up the process of buying software, and yet there aren’t rules for evaluating the SBOMs. That seems to me to create a real process challenge for DoD as they go through this process.
Tom Pace: Yes, it 100% is going to. The key thing here is having this visibility in creating a software inventory of all the things that people are buying. That way you can react to the next Log4j, for instance, which the federal government still, right this second, could not tell you everywhere that Log4j is within federal government networks. It’s just, it’s an impossible ask. And so… I mean, think about it in terms of, imagine if there were no ingredients lists on any food items and then someone coming to you, saying, “where is the high fructose corn syrup?” How would you figure that out? I mean it would take decades, it would be a monumental effort to take every piece of food and figure out what had a particular ingredient in it. So that’s the nature of the problem that’s hoping to be solved here. Sure, anytime you’re introducing a net new set of data as significant as this it’s doing to cause you know some some friction I suppose but. I’m a big believer anytime you run into friction, you’re probably doing the right thing.
Terry Gerton: Just don’t pour high fructose corn syrup on it. How is industry preparing to comply with this new requirement?
Tom Pace: Yeah, it’s a great question. Well, I think industry’s been preparing. In some other ways, anyway. As an example. You have the cyber resilience act going on in the EU, which is going to be going into effect in a year or two, officially. So a lot of companies are preparing for that, that are at least working in the EU, which is most of them, most of the ones that matter at least. So this kind of thing is definitely on their radar. Everyone isn’t doing it though. And you probably won’t be able to trust the party that’s providing the software to also provide the SBOM. They might, that might be a data artifact that you collect because there’s just a number of other things like how you create it, where you create, things like that, but, I would say industry is probably doing a much, much better job at being prepared for this kind of regulation or whatever this is going to be called at the end of the day.
The post It will take more than a new policy to get certified SBOMs first appeared on Federal News Network.