Today, the DOC’s National Telecommunications and Information Administration (NTIA) published a notice in the Federal Register (86 FR 29568-29571) requesting public comments on “Software Bill of Materials Elements and Considerations”. This action is being taken in support of the requirements of EO 14028 for NTIA to “publish minimum elements for an SBOM” {§4(f)}.
Public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #210527-0117). Due to the short response requirements of EO 14028, NTIA is requesting that comments be submitted by June 17th, 2021.
Commentary
One point that is not discussed here (and admittedly it was not part of the presidential mandate) that needs to be discussed before any SBOM process becomes operational is the information sharing aspect of the SBOM. Let’s face it, and SBOM is going to provide an adversary with a software blueprint that will help guide the development of an attack process. Any discussion of an effective SBOM process is going to have to address how widely the detailed information in an SBOM is shared.
For a more detailed look at the information that NTIA is
looking for, see my post at - https://patrickcoyle.substack.com/p/eo-14028-ntia-publishes-sbom-request.
Subscription Required
Posts
No comments:
Post a Comment