Source: Dark Reading
Published: May 31, 2022

The digital supply chain is under attack like never before. Listed among the top seven security concerns for 2022 by Gartner, digital supply chain security is now top of mind for cybersecurity teams, CISOs, and the entire C-suite. For the first time, digital supply chain attacks are threatening business continuity for large-scale enterprises. Digital supply chains are connected to almost every mission-critical service in an organization. All Internet-facing services are built on a tiered ecosystem of third-party services and infrastructures. In turn, every third party has its own third parties, which have their own third parties, and so on down the line. This means that the vulnerabilities of your vendors and your vendors’ vendors (and so on) often become your vulnerabilities.

View here: How to Keep Your Enterprise Safe From Digital Supply Chain Attacks

Source: CISA Official Renews Call for SBOMs to Help Software, Supply Chain Security – MeriTalk

Wider use of software bills of materials (SBOM) requirements represents a key building block in software security and software supply chain risk management that Federal agencies need to increasingly rely on going forward, an official from the Cybersecurity and Infrastructure Security Agency (CISA) said today.

Allan Friedman, a senior advisor and strategist for CISA, explained that software packages typically include an extensive number of third-party components, and that Federal agencies must actively watch and manage each one to preserve security and functionality.

“To that end, it’s critical for the Federal government to move towards frequent utilization of an SBOM to keep track of these components. This machine-readable list comprises the various dependencies and elements of a piece of software,” Friedman said at a virtual event hosted by GovExec.

An SBOM also constitutes a formal record containing the details and supply chain relationships of various components used in building the software.

The drive for SBOMs has gained steam since May 2021, when the Biden administration released an executive order emphasizing SBOMs as a way of boosting the nation’s cybersecurity. Since then, the National Telecommunications and Information Administration (NTIA) has sought comment on what to include in SBOMs, and CISA leadership has called for SBOMs to aid in system visibility and inventory management following disclosure of the Log4J vulnerability earlier this year.

Friedman said today that SBOM implementation in the Federal space remains new and emerging. And while there is no reason organizations cannot use SBOM today, “we cannot assume universal full automation and integration,” he said.

Moving forward, Friedman listed three main goals in the government’s broader SBOM initiative:

Make SBOM generation an expectation in the marketplace;
Make SBOM generation easier and cheaper, at scale; and
Enable efficient and effective SBOM data consumption.

Additionally, Friedman explained that CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. He also explained that “continued industry leadership is needed to guide SBOM investment, standards, and policy.”

Friedman acknowledged that transparency will not solve all security problems, but “without transparency, it will be very hard to solve any security problems.”