You are here

Moving Toward a More Transparent Software Supply Chain

September 30, 2019 by Allan Friedman, Director of Cybersecurity Initiatives, Office of Policy Analysis and Development

Earlier this month, NTIA convened the latest in a series of multistakeholder meetings on software component transparency. For more than a year, stakeholders have been exploring this issue through four working groups established during the July 2018 kickoff meeting. The broader community meets periodically to share progress and encourage feedback through in-person and virtual meetings.

Most modern software is not written completely from scratch, but includes existing components, modules, and libraries from the open source and commercial software world. Modern development practices such as code reuse, and a dynamic IT marketplace with acquisitions and mergers, make it challenging to track the use of software components.

The Internet of Things and the emergence of Cyber-Physical Systems, which integrate computation, networking, and physical processes, compound this phenomenon, as new organizations, enterprises and innovators take on the role of software developer to add “smart” features or connectivity to their products. Although the majority of libraries and components do not have known vulnerabilities, the sheer quantity of software means that some software products ship with vulnerable or out-of-date components.

At the September meeting in Washington, D.C., the working groups presented near-final drafts of the key documents they’ve been working on. Framing Software Component Transparency provides broad definitions and defines a minimum viable “software bill of materials” or “SBOM.” Roles and Benefits for SBOM Across the Supply Chain characterizes how SBOMs can offer tangible security and efficiency benefits to those who make, select, and operate software.

A third working group conducted a Survey of Existing SBOM Formats and Standards to help the community understand how this can be automated for greater efficiency. Finally, a number of stakeholders worked together to demonstrate that SBOMs were possible in a particular sector, and documented their lessons learned for the broader community in the Healthcare Proof of Concept Report. These documents will serve as a foundation for future work on software transparency.

NTIA is committed to helping the community make this vision of software supply chain transparency a reality.

The next in-person meeting of this process is tentatively planned for November 2019. For more information, visit ntia.gov/SoftwareTransparency.