CISA SBOM standards efforts stymied by confusion, inertia
Efforts to establish SBOM standards and guidance have progressed, but unanswered questions persist -- including how the federal government plans to enforce its own requirements.
There has been incremental progress in the year since the Cybersecurity and Infrastructure Security Agency held its first exploratory sessions on software bill of materials standards, but it still has a long way to go to establish effective guidance for IT orgs.
That was the consensus in discussions during a hybrid event called SBOM-a-rama this week by CISA. The event provided an update on CISA working groups' progress on government requirements for SBOMs under Executive Order 14028, which the Biden administration issued in May 2021. SBOMs are machine-readable lists of applications' underlying components and dependencies that can help IT organizations spot security vulnerabilities in their environments. CISA held listening sessions about SBOM adoption, including challenges for cloud-native environments, in July 2022.
Some SBOM-a-rama attendees questioned whether CISA's methodical efforts to date will be enough to effectively counteract the fast-moving threat of software supply chain attacks.
The hackers aren't slowing down, and the pain is very real. We need to pick up the pace to match hacker momentum.
Anonymous SBOM-a-rama live chat comment
"This needs to get better quickly -- we're not taking the Agile iterative methodology to heart here," said Amélie Koran, nonresident senior fellow at the Atlantic Council, a cybersecurity think tank in Washington, D.C., in an interview after the event. "We need to go from theory and academia to an applied thing ... If you have some willing industries ... [that say,] 'Well, let's try out this version, do some reporting, get some feedback and then iterate on it,' we're going to be a lot better off than waiting until we get to a standard."
An anonymous commenter in SBOM-a-rama's online chat put it more bluntly.
"The hackers aren't slowing down, and the pain is very real," the commenter wrote in response to a presentation by CISA's SBOM On Ramps & Adoption working group. "We need to pick up the pace to match hacker momentum."
Healthcare, finance groups push for SBOM results
Representatives from industry-focused working groups in finance and healthcare who gave presentations at SBOM-a-rama reported progress in the production and use of SBOMs in the last year, even as government standards remain works in progress.
"We are seeing ... general awareness [among] financial institutions that software supply chain security is a key emerging threat, whereas in prior years, there were just a few institutions discussing this threat," said Jonathan Meadows, managing director of cybersecurity at Citigroup, in a presentation.
"We now have a growing number [of institutions] starting to focus heavily in this area," Meadows continued. "Several teams are building proof-of-concept systems to ingest and evaluate SBOMs, focusing on inventory and vulnerability management use cases. This is a key improvement from prior years, where there was a push to request SBOMs, but institutions lacked the capabilities to leverage them."
In the healthcare industry, software supply chain security efforts are being spurred by an item in the Consolidated Appropriations Act, 2023 that granted the Food and Drug Administration (FDA) authority to regulate "cyber devices" used in the medical field. This regulation includes a requirement that device manufacturers produce SBOMs, according to a CISA presentation this week.
An ongoing onslaught of cyber attacks on hospitals and other medical institutions has also added to the urgency of software supply chain security efforts in this market. In the meantime, persistent efforts by hospital tech staff have overcome initial software provider concerns about handing over SBOM information -- and potentially their intellectual property.
"We spent about six months negotiating [an] NDA, just so we could get these SBOMs," recalled Jennings Aske, senior vice president and chief technology risk officer at NewYork-Presbyterian Hospital, in a presentation. "Today, it just seems so ridiculous that we spent all this time, but it was so controversial."
Jennings Aske, senior vice president and chief technology risk officer at NewYork-Presbyterian Hospital, presents at CISA's SBOM-a-rama conference.
Since 2019, Aske has led a team to produce a proof-of-concept document for healthcare SBOM practices. That group has also created a downloadable open source tool called DaggerBoard that healthcare organizations can use to view and evaluate SBOM data. The group is now working on integrating Vulnerability Exploitability eXchange (VEX) data into the tool.
Still, Aske admitted these efforts have slowed as the COVID-19 pandemic took its toll on healthcare. He called in his presentation for more participation in CISA efforts, inside and outside his own industry.
"We're plugging along, but we've seen some of the healthcare delivery organizations drop off because they simply are just burnt out," he said. "We want people to join our group -- it's not a healthcare-specific conversation. We have people from the auto sector and other sectors joining our meetings. So please reach out and join the work."
SBOM to-do list extends beyond standards progress
Presentation after presentation at this week's event echoed Aske's call for participation, and many of them also described industry-wide difficulty in establishing consistent asset naming and data quality conventions for SBOM data.
Over the last year, CISA's Tooling & Implementation working group, assigned to tackle the naming and quality problem, defined a set of SBOM types according to where and how SBOMs are used, as well as an early-stage set of SBOM quality standards and data field descriptions. But one of the leaders of that group said during an SBOM-a-rama open discussion session that confusion persists.
"We're finding people are taking the terms coming out of these working groups and adopting them and using them for something that's different underneath," said Kate Stewart, vice president of dependable embedded systems at The Linux Foundation and a co-chair of the Tooling & Implementation group.
Multiple SBOM-a-rama presentations and comments during the open discussion session also pointed out an unmet need for guidance on contract language that business stakeholders can use when companies request or supply SBOM data.
"People are going to start saying they want to have fixes immediately," said Bruce Lowenthal, senior director of the security alerts group at Oracle. "You're going to have to deal with the fact that if it's a fifth-party vulnerability, that you have to get the fourth party and the third party to upgrade, and if you can't, you're going to have to watch your contract, so you don't get things in there that are impossible to do."
In the meantime, none of these efforts has attempted to set standards for SaaS and cloud-native systems, which -- for now -- are an exception to the executive order requirements. Over the last year, a Cloud & Online Applications subgroup has produced a list of suggested SBOM data fields for online applications. Another subgroup is working to define the minimum components of cloud infrastructure as a baseline for SBOM. It hasn't produced specifications or guidance for more advanced issues in cloud-native SBOMs, such as ephemeral resources and analyzing data from multiple SBOMs.
To ensure the software supply chain remains secured and reliable for consumers, including U.S. government agencies, CISA must ask that software publishers expand their focus beyond vulnerabilities to cover other threats.
Charlie JonesDirector of product management, ReversingLabs
Several private sector vendors already offer tools for SBOM integration and analysis, including on cloud-native workloads. An exec from one such vendor issued a statement this week urging CISA to make quicker progress toward cloud-native SBOM standards.
"To ensure the software supply chain remains secured and reliable for consumers, including U.S. government agencies, CISA must ask that software publishers expand their focus beyond vulnerabilities to cover other threats," wrote Charlie Jones, director of product management at software supply chain security vendor ReversingLabs, in an email to TechTarget Editorial this week. "These threats include software tampering, malicious implants, digital signature manipulation, exposed secrets, memory exploitation, and exposed ports, protocols and services."
ReversingLabs has reached out to CISA via its public feedback process and proposed ideas for new attestation requirements for the gaps it sees in SBOM standards, Jones wrote.
Most companies aren't yet ready to deal with SBOMs on that level, however, said one SBOM-a-rama attendee in an online interview.
"There's still too many panes of glass for security and engineering to pay attention to," said Jeffrey Luszcz, founder of software composition analysis vendor Palamida, which Flexera acquired in 2016. "The [open source] repos need to take more responsibility on watching for these types of attacks."
'What if we just don't comply?'
Confusion over conflicting and incomplete cybersecurity standards and regulations for SBOMs extends well beyond CISA. In addition to CISA and the National Telecommunications and Information Administration, other government agencies such as NIST have released guidance on cybersecurity and zero-trust architecture. Many of these documents are complementary, but there are instances of overlap, such as CISA's VEX and a NIST specification for vulnerability disclosure reports. CISA's SBOM standards efforts also overlap with the Internet Engineering Task Force's Supply Chain Integrity, Transparency and Trust initiative.
Outside the U.S., governments worldwide are developing overlapping and sometimes conflicting regulations on cybersecurity, including the European Union's Cyber Resilience Act, further muddying the compliance waters for multinational companies.
Some IT organizations have even begun to contemplate calling the U.S. government's bluff on SBOMs, and questioning what happens if they don't comply with Executive Order 14028 deadlines.
"A common question that I've been hearing a lot [from clients] is, 'Well, what if we just don't comply and we accept that risk?' And, 'Is there anything that's actually going to happen?'" said Emily Fesnak, senior cybersecurity consultant at Deloitte, during the SBOM-a-rama open discussion session.
Answers to Fesnak's question from CISA panelists and other discussion participants varied. They included multiple suggestions about how to demonstrate the value of compliance with SBOM standards, but none were specific about the consequences of noncompliance.
"It is not for me to say what happens if you don't do what the U.S. government tells you," Allan Friedman, senior adviser and strategist at CISA, told Fesnak.
Unfortunately for efforts to promote the adoption of SBOMs, the answer might actually be nothing, according to Atlantic Council's Koran.
"[Federal] oversight groups don't have the resources to go and provide a review of stuff, if it was even asked for, like [with] the FDA," she said. "They can request SBOMs until they're blue in the face, but there's no framework in place for enforcement."
In the next year, Koran said she hopes to see clearer and more consolidated U.S. and international leadership on SBOMs.
"There are a lot of people who all want to protect the [software supply chain], but no one's really taking the lead," she said. "The lack of global leadership on this is the thing that's hampering us the most."
Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
