Dropping the SBOM: The Major Omissions in CISA's Security Form

CISA's form omits SBOMs, sparking security debates. Embrace tools like CodeLock for enhanced software transparency.

Dropping the SBOM: The Major Omissions in CISA's Security Form

SBOM Where Art Thou?

Software bill of materials (SBOM) documentation is a hot topic.

With so many software vendors unknowingly using third-party code with known vulnerabilities, it's no wonder that cybersecurity attacks are on the rise. Especially when you consider that more than 81% of the third-party code has significant security vulnerabilities.

Executive Order 14028 is leaving many vendors scrambling to get SBOMs together in time. And those who don't supply to the White House are not exactly off the hook when it comes to SBOMs.

This has left the industry scratching its head when it comes to the baffling omission by CISA, which seems to have mistakenly left SBOM off the list - at least by name.

While the CISA report effectively still demands an SBOM through evidence of artifacts, many have criticized and stressed the need to codify these artifacts and define them for what they are - an SBOM.

The market cost of cybercrime is set to reach USD 10.5 trillion by 2025. As such, business customers will likely soon be demanding software bills of materials (SBOMs) from their vendors.

Those that aren't doing so are likely to be left behind by their competitors as customers choose vendors that can prove their cybersecurity with an SBOM.

Back in May 2021, under the Biden Administration's watch, Executive Order 14028 sprung to life, instructing CISA alongside other bodies to reevaluate the software supply chain's defenses for federal vendors. This order was a precursor to a more comprehensive National Cybersecurity Strategy, which, among other goals, sought to shift the blame for supply chain mishaps from users to the software makers.

The road to crafting CISA's standard self-attestation form for software manufacturers was a journey that began with memoranda across 2022 and 2023, culminating in the final form's unveiling on March 11, 2024. Providers of critical software now face a three-month deadline to submit this form, while those behind software developed or modified post-September 14, 2022, have a six-month window before their products fall out of the federal government's favor.

This development represents a stride forward in securing the software supply chain, a narrative especially potent in the aftermath of the notorious SolarWinds IT monitoring software attack in 2020. Chris Hughes, not involved in the form's creation but a key figure in software supply chain security at Endor Labs and a Cyber Innovation Fellow at CISA, reflected on the significant headway made since that tumultuous period.

Nonetheless, the finalized self-attestation form's omission of SBOMs, detailed inventories of software components critical for evaluating security threats, has sparked debate. Initially, the draft hinted at the potential inclusion of SBOMs, but this mention vanished in the final version, stirring concerns about the future adoption of SBOMs in enhancing software transparency.

Moreover, the mandate that the form be endorsed by the CEO or a delegated authority within the company has ignited fears of misdirected accountability, potentially setting the stage for scapegoating lower down the hierarchy.

The newly minted self-attestation form from CISA marks a step in the right direction for the software supply chain's security landscape. However, the absence of SBOMs and apprehensions regarding executive responsibility underscore the need for further refinement in the quest for a more transparent and accountable software supply chain security framework.

SBOMs are vital as they provide a detailed list of every component that makes up a piece of software, along with their sources and dependencies. This comprehensive inventory is indispensable for understanding the potential security vulnerabilities and risks associated with each component. By having a clear map of the software's anatomy, organizations can proactively manage and mitigate risks, respond more effectively to security incidents, and comply with regulatory requirements.

Given the crucial role of SBOMs in enhancing software transparency and security, it's paramount for organizations to adopt tools that facilitate their generation and management. This is where CodeLock comes into play. CodeLock, with its automatic SBOM generation feature, empowers organizations to seamlessly integrate the creation and maintenance of SBOMs into their development and security processes. By leveraging CodeLock, companies can ensure that they are not only compliant with emerging regulations but also positioned at the forefront of cybersecurity best practices.

As the software supply chain continues to evolve and face new threats, the importance of SBOMs cannot be overstated. They are the linchpin in achieving a transparent, secure, and resilient software ecosystem. Organizations should therefore consider adopting solutions like CodeLock, which offer automatic SBOM generation, to enhance their cybersecurity posture and safeguard against potential vulnerabilities.