NTIA Working on Software Component Transparency Guidelines
Standardizing data shared on software components is vital for identifying cyber vulnerabilities and will have an impact across industries, stakeholders told NTIA during a virtual meeting on the multistakeholder process on software component transparency Thursday. NTIA’s goal is to standardize…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
software component data sharing so entities and users can better understand networks, which will help identify risks and affected components. NTIA plans to issue guidance for a software bill of materials. SBOMs list software components. “The NTIA SBOM initiative is driven by stakeholders, and they are ultimately responsible for setting timetables, defining deliverables and reaching consensus,” a spokesperson emailed. NTIA Director-Cybersecurity Initiatives Allan Friedman highlighted the importance of guidance. He cited a recent Snyk survey, in which 60 percent of respondents say lack a “good view into the full dependency trees of their software.” This means it’s difficult to identify newly discovered vulnerabilities, Friedman said. Survey participants included officials in software development, security and infrastructure/operations. Progress on the initiative has been “subtle” but “impactful,” said FDA Cyber Policy Adviser Jessica Wilkerson. Lack of clarity can make it difficult to map “component to vulnerability data, license data, or other data,” wrote working group co-chairs Michelle Jump, MedSec's global regulatory adviser-medical device cybersecurity, and Art Manion, a senior member of the vulnerability analysis team at Carnegie Mellon University's Software Engineering Institute. It makes it difficult for entities potentially hit in a cyberattack to determine if they are affected and where the affected software is used, Jump said.