Wider use of software bills of materials (SBOM) requirements represents a key building block in software security and software supply chain risk management that Federal agencies need to increasingly rely on going forward, an official from the Cybersecurity and Infrastructure Security Agency (CISA) said today.

Allan Friedman, a senior advisor and strategist for CISA, explained that software packages typically include an extensive number of third-party components, and that Federal agencies must actively watch and manage each one to preserve security and functionality.

“To that end, it’s critical for the Federal government to move towards frequent utilization of an SBOM to keep track of these components. This machine-readable list comprises the various dependencies and elements of a piece of software,” Friedman said at a virtual event hosted by GovExec.

An SBOM also constitutes a formal record containing the details and supply chain relationships of various components used in building the software.

The drive for SBOMs has gained steam since May 2021, when the Biden administration released an executive order emphasizing SBOMs as a way of boosting the nation’s cybersecurity. Since then, the National Telecommunications and Information Administration (NTIA) has sought comment on what to include in SBOMs, and CISA leadership has called for SBOMs to aid in system visibility and inventory management following disclosure of the Log4J vulnerability earlier this year.

Friedman said today that SBOM implementation in the Federal space remains new and emerging. And while there is no reason organizations cannot use SBOM today, “we cannot assume universal full automation and integration,” he said.

Moving forward, Friedman listed three main goals in the government’s broader SBOM initiative:

Make SBOM generation an expectation in the marketplace;
Make SBOM generation easier and cheaper, at scale; and
Enable efficient and effective SBOM data consumption.

Additionally, Friedman explained that CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. He also explained that “continued industry leadership is needed to guide SBOM investment, standards, and policy.”

Friedman acknowledged that transparency will not solve all security problems, but “without transparency, it will be very hard to solve any security problems.”

April 18, 2022

Overview of KA-SAT Network Cyber Attack via the Cyber Supply Chain

Viasat is providing an overview and incident report on the cyber-attack against the KA-SAT network, which occurred on 24 February 2022, and resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service.

This incident was localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, under a transition agreement Viasat signed with Eutelsat following Viasat’s purchase of Euro Broadband Infrastructure Sàrl (“EBI”), the wholesale broadband services business created as part of Viasat’s former partnering arrangement with Eutelsat. The residential broadband modems affected use the “Tooway” service brand. This cyber-attack did not impact Viasat’s directly managed mobility or government users on the KA-SAT satellite. Similarly, the cyber-attack did not affect users on other Viasat networks worldwide.

For more, visit KA-SAT Network cyber attack overview | Viasat

April 10, 2022

Loss of Antonov Planes May Have GEO Shipping Impact

Ukrainian firm Antonov owns and operates the largest cargo aircraft in the world. A significant portion of the company’s fleet has been grounded or destroyed since Russia’s invasion of Ukraine, leaving many GEO satellites to find other rides to the launch site.

Source: Loss of Antonov Planes may have GEO Shipping Impact – Payload (payloadspace.com)

April 10, 2022

Supply Chain Crisis Worsens As Russia’s War Against Ukraine Continues

As Russia’s war against Ukraine escalates and sanctions by the U.S. and other countries intensify, so does their impact on supply chains around the world.

Going through recent events like the U.S.-China trade war, Covid-induced disruptions, followed by the major armed conflict, many firms that had been skeptical about the idea of reshoring and multi-sourcing started to reexamine their options… they are living through the era of disequilibrium, and all of a sudden ‘just-in-case’ sounds more reasonable than ‘just-in-time’…

After the jolts from these successive events…the momentum will be built towards a model of more regionalized supply chains, with weakened linkages in some areas but also strengthened ones in other corners…

Many big tech companies put facilities in Poland and Hungary are quite close to the fire now. It is forcing those companies to shift capacity and volume to safer regions, like North and South America…

Source: Forbes Supply Chain Crisis Worsens As Russia’s War Against Ukraine Continues (forbes.com)

April 2, 2022

FCC Puts Kaspersky on Security Threat List

The Federal Communications Commission recently determined that security products from Kaspersky posed an unacceptable risk to US national security and added the company to a covered list of other firms not eligible for FCC funds. Kaspersky becomes the first security company and first Russian entity to be added to the US security threat list. Companies that appear on the list are ineligible to receive any of the $8 billion available annually under the FCC’s Universal Service Fund. The fund supports telecom services in rural areas or is for low-income consumers or entities like schools, libraries, and hospitals. The move adds Kaspersky to the same covered list that Huawei and ZTE landed on in 2021.

Source: https://arstechnica.com/information-technology/2022/03/fcc-puts-kaspersky-on-security-threat-list-says-it-poses-unacceptable-risk/

March 21, 2022

Senate Revving up to Finish COMPETES/USICA Reconciliation

Source: MeriTalk

Senate leadership is making the legislative moves necessary to begin work in earnest on reconciling two different versions of innovation and competition legislation that features billions of funding to boost domestic semiconductor production and create a new technology directorate at the National Science Foundation (NSF).

Along those lines, Senate Majority Leader Chuck Schumer, D-N.Y., filed cloture on the House-passed America Creating Opportunities for Manufacturing, Pre-Eminence in Technology, and Economic Strength (COMPETES) Act on March 17.

On the Senate floor, Schumer then laid out his plan of action that involves the Senate taking up the America COMPETES to amend it with the text of the Senate-passed United States Innovation and Competition Act (USICA), passing it, then sending the resulting legislation back to the House for conferencing.

“Last summer the Senate passed an overwhelmingly bipartisan bill that will bring manufacturing jobs back to America, fix supply chains, fuel scientific research, and ultimately lower costs by a significant amount,” Sen. Schumer said. “The bipartisan bill would be great news for our economy, our entrepreneurs, our innovators, and especially families who are feeling the sting because of the chip shortage.”

“We all know the chip shortage is hurting so many people,” he continued. “It’s hurting the auto industry that’s had to temporarily shut down factories. It’s hurt our tech industry, our health care industry, and so many others. So let’s solve this quickly.”

Each of the bills contains $52 billion to fully fund the CHIPS Act – a measure included in the fiscal year (FY) 2021 National Defense Authorization Act – in addition to other investments in domestic research and development.

March 17, 2022

Russian Hackers Are Targeting American Oil Refineries

Russian Hackers Are Targeting American Oil Refineries
Source: The Street
Published: March 15, 2022

Cyber criminals are targeting the energy infrastructure in the U.S, including pipelines, refineries and power grids to attack their operations and supply chain systems, experts said. Hackers have targeted oil and gas producers in the past, such as the attack of the Colonial Pipeline, the largest U.S. fuel pipeline that resulted in shortages along the East Coast in April 2021.

March 9, 2022March 9, 2022

White House Outlines Strategy to Revitalize and Fortify U.S. Manufacturing, Supply Chains

The White House has announced key government-wide initiatives for the coming year that are focused on long-term domestic supply chain resilience.
The Biden Administration released a capstone report on key actions it has taken over the past year to reduce U.S. supply chain vulnerability across a range of key sectors.
As a complement to the capstone report, seven cabinet agencies published reports identifying weaknesses and strategies to strengthen supply chains for these sectors.

Source: White House Outlines Strategy to Revitalize and Fortify U.S. Manufacturing, Supply Chains | Insights | Holland & Knight (hklaw.com)

March 8, 2022March 10, 2022

RSA Conference (RSAC) 2022

San Francisco, CA
June 6-9, 2022

The theme for RSAC 2022 is “Transform.” This conference offers a dialogue on the rapidly evolving information security industry by providing insight into trends and breaking news in information security. It is intended for military, government, academia, and industry information security experts.

Protecting Data & the Supply Chain
This track explores the cascading security requirements of the extended enterprise and the classification, tracking, and protection of data. It covers data protection regulations, DLP and threats to sensitive data, and emerging trends in software supply chain security as well as vendor and partner SLAs, supply chain mapping, continuous enforcement, and how to future-proof vendor contracts and risk assessments for evolving requirements.

For more information, follow these links:

2022 USA | RSA Conference
Trust, but Verify: Protecting Your Business from Supply Chain Attacks | RSA Conference

Category: News

CISA Official Renews Call for SBOMs to Help Software, Supply Chain Security

Source: CISA Official Renews Call for SBOMs to Help Software, Supply Chain Security – MeriTalk