You are here

NTIA Software Component Transparency

Date: 
June 05, 2018

Upcoming Meeting

Date: July 19, 2018
Time: 10:00 a.m. to 4:00 p.m., Eastern Time
Location: American Institute of Architects, 1735 New York Ave., NW., Washington, DC 20006
This meeting will also be webcast, and a call bridge will be available for remote participation.

NTIA’s next cybersecurity multistakeholder process will focus on Software Component Transparency. Participants will explore how manufacturers and vendors can communicate useful and actionable information about the third-party software components that comprise modern software and IoT devices, and how this data can be used by enterprises to foster better security decisions and practices.  The first meeting, to be held on July 19, 2018, is intended to bring stakeholders together to share the range of views on software and IoT component transparency, and to establish desired stakeholder outcomes and a structure for this process.  The goal of this initiative is to foster a market offering greater transparency to organizations, who can then integrate this data into their risk management approach.

This is an open meeting, and no registration is necessary.

This meeting will be webcast, and will offer dial-in access to enable remote participation. Webcast information and an agenda for this meeting will be available in advance of the event. For more information, or to receive updates about this initiative, please contact afriedman@ntia.doc.gov.

The objectives of this first meeting are to:

  1. Share the perspectives and concerns of both the vendor and enterprise customer communities;
  2. Discuss and acknowledge what is already working;
  3. Explore obstacles and challenges for greater transparency and better risk decisions;
  4. Identify promising areas of potential collaboration;
  5. Engage stakeholders in a discussion of logistical issues, including internal structures such as a small drafting committee or various working groups, and the location and frequency of future meetings; and
  6. Identify concrete goals and stakeholder work following the first meeting. 

Background:

Since 2015, the National Telecommunications and Information Administration has sought public comment on several matters around cybersecurity, the Internet of Things, and the health of the digital ecosystem. Several themes emerged from these three public consultations. Many stakeholders emphasized the importance of community-led, consensus-driven, and risk-based solutions to address cybersecurity challenges, highlighting the role NTIA should play in convening multistakeholder processes. In the digital ecosystem, particular challenges were identified: understanding and handling vulnerability information, addressing the insecurities in the growing IoT marketplace, and fostering a secure development lifecycle. NTIA has convened two multistakeholder processes to address these challenges, one on vulnerability disclosure and another on IoT security updates.

Additional Information:

The Federal Register Notice announcing the first meeting and providing further background and detail: https://www.ntia.doc.gov/federal-register-notice/2018/notice-071918-meeting-multistakeholder-process-promoting-software

Assistant Secretary David Redl's blog post “NTIA Launches Initiative to Improve Software Component Transparency

A report by the U.S. Department of Commerce and the U.S. Department of Homeland Security, “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats

Information about NTIA’s multistakeholder process on IoT security upgradability and patching: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security

Information about NTIA’s multistakeholder process on vulnerability disclosure: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities