Allan Friedman, who just moved to the Cybersecurity and Infrastructure Security Agency (CISA) to help scale up work on software bill of materials (SBOM), said operationalizing SBOM requires integrating the concept into existing tools, daily operations and into the cybersecurity and vulnerability ecosystem, Nextgov reported Friday.
“SBOM was never meant to be a standalone concept. Its value is that it helps support other ongoing efforts and enables further intelligence efforts for the cybersecurity and data management approaches,” Friedman told Nextgov in an interview.
“SBOM, in the long run, shouldn't be thought of as a unique suite, it should just be part of a multifaceted cybersecurity agenda that we should be pushing and fostering,” he added.
In June, the Department of Commerce’s National Telecommunications and Information Administration sought public comments on elements for an SBOM to help improve transparency in the software supply chain in compliance with President Biden’s cybersecurity executive order. A month after, NTIA issued a report on SBOM's minimum elements.
Friedman also discussed the goals for developing agency guidelines and potential changes to federal procurement regulations with regard to SBOM.
“One of our core goals is going to be to sort of help advise those that are actually building out either guidelines or explicit requirements to say, one, ‘when we say something about SBOM, what do we mean?’ making sure that we're all aligned,” he said.
“And then, two, helping [make] an appropriate case for, you know, scaling this up so that it's something that, on one hand, reflects the White House's sense of urgency for making progress, but at the same time making sure that we're not overwhelming it, or creating imperfect implementations that will actually set back the agenda,” Friedman added.
ExecutiveBiz, sister site of GovConDaily and part of the Executive Mosaic digital media umbrella, will host a virtual event about securing the supply chain on Oct. 26. Visit ExecutiveBiz.com to sign up for the “Supply Chain Cybersecurity: Revelations and Innovations” event.