You are here

NTIA Software Component Transparency

Date: 
July 20, 2018

Working Groups

At the July 19 kickoff meeting, several working groups were proposed. Information on those working groups is below. To participate, please email afriedman@ntia.doc.gov.

Understanding the Problem

Goal is to scope out the idea of software transparency and the problems it seeks to solve, including how SBOM data might be shared. Outputs might include useful terminology, issues and explicit decisions to address, and implementation guides.

Use Cases and State of Practice

Will focus on identifying use cases, current and possible future, where SW Bill of Materials or similar data is used to achieve various goals. Through review of the current state of practice, we will develop outputs that identify what works today and what are barriers to success.

Standards and Formats

Will investigate existing standards and initiatives as they apply to identifying the external components and shared libraries, commercial or open source, used in the construction of software products. The group will analyze efforts underway in the community and industry related to assuring this transparency is readily available in a machine-readable manner. 

Healthcare Proof of Concept

This will be a collaborative effort between healthcare delivery organizations and medical device manufacturers to establish a prototype SBOM format and exercise use cases for SBOM production and consumption. The goal is to demonstrate successful use of SBOMs and relate to the overall cross-sector effort to establish standardized formats and processes.

Upcoming Meeting

The next meeting will be in the second half of September, and will be a virtual meeting. The date will be announced shortly.

Past Meetings

Date: July 19, 2018

NTIA’s next cybersecurity multistakeholder process will focus on Software Component Transparency. Participants will explore how manufacturers and vendors can communicate useful and actionable information about the third-party software components that comprise modern software and IoT devices, and how this data can be used by enterprises to foster better security decisions and practices.  The first meeting, to be held on July 19, 2018, is intended to bring stakeholders together to share the range of views on software and IoT component transparency, and to establish desired stakeholder outcomes and a structure for this process.  The goal of this initiative is to foster a market offering greater transparency to organizations, who can then integrate this data into their risk management approach.

For more information, or to receive updates about this initiative, please contact afriedman@ntia.doc.gov.

Background:

Since 2015, the National Telecommunications and Information Administration has sought public comment on several matters around cybersecurity, the Internet of Things, and the health of the digital ecosystem. Several themes emerged from these three public consultations. Many stakeholders emphasized the importance of community-led, consensus-driven, and risk-based solutions to address cybersecurity challenges, highlighting the role NTIA should play in convening multistakeholder processes. In the digital ecosystem, particular challenges were identified: understanding and handling vulnerability information, addressing the insecurities in the growing IoT marketplace, and fostering a secure development lifecycle. NTIA has convened two multistakeholder processes to address these challenges, one on vulnerability disclosure and another on IoT security updates.

Additional Information:

The Federal Register Notice announcing the first meeting and providing further background and detail: https://www.ntia.doc.gov/federal-register-notice/2018/notice-071918-meeting-multistakeholder-process-promoting-software

Assistant Secretary David Redl's blog post “NTIA Launches Initiative to Improve Software Component Transparency

A report by the U.S. Department of Commerce and the U.S. Department of Homeland Security, “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats

Information about NTIA’s multistakeholder process on IoT security upgradability and patching: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security

Information about NTIA’s multistakeholder process on vulnerability disclosure: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities