Executive order 14028 calls for all software vendors to the US government to list the components that they used to create their products with software bill of materials (SBOM) documentation by September 2023. Let's consider how increasing demands for software supply chain security (SSCS) will impact your organization.
EO 14028: Improving The Nation's Cybersecurity was issued by the US government on May 12, 2021. The document signaled the start of a White House crackdown on open-source software risk in light of rising cyber crime.
This executive order laid down a strict and demanding timeline for the implementation of a range of measures designed to protect the United States from cyber infiltration. A key point within the bill was a requirement for vendors of software to the White House in:
"...providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website"
In simple terms, this means that all software vendors to the US government will soon need to have comprehensive SBOM documentation ready to present to their customer. Let's look more closely at what this entails and why software supply chain security (SSCS) has become so relevant.
What Is An SBOM As Mentioned In EO 14028?
A software bill of materials (SBOM), as requested by EO 14028, has often been called an 'ingredients list' for your software. It's a document that tracks each third-party software component and open-source software risk that's been used to build your product.
According to the Department of Commerce, SBOMs should be a machine-readable list of the components, libraries and modules that make up the software. They should also include the supply chain relationships between these components, and their software supply chain security (SSCS) details.
This means that, when a vulnerability in a piece of open-source software is discovered, you can immediately tell whether it will impact your customers and how to fix it. It's like using nutrition information to tell if a food item is safe for someone with an allergy.
A survey conducted by Linux found that executives also report SBOMs make it easier to:
- understand dependencies across components (51%)
- monitor components for vulnerabilities (49%)
- manage license compliance (44%)
Yet, an SBOM can't realise all of this alone. Once you have SBOMs in place, you'll then need to map them to the services in your inventory, which is where the LeanIX Value Stream Management (VSM) platform can support you.
Out-of-the-box integrations and easy-to-use APIs will give you a real-time inventory of your services and the teams responsible for them. As a result, you can understand at a glance which services are dependent on a specific library, which teams are responsible, and which products use the service.
Why Is The US Government Calling For SBOMs?
Software bill of materials (SBOM) documentation is a hot topic. Ever since the Log4Shell remote code execution (RCE) vulnerability in Apache log4j 2 came to light, software supply chain security (SSCS) has been a concern.
A Synopsis Cybersecurity Research Center survey revealed that 97% of 2,409 items of software had open-source software risk. Concerningly, 81% of these had security vulnerabilities.
With so many software vendors unknowingly using third-party code with known vulnerabilities, it's no wonder that cyber security attacks are on the rise. According to Deloitte, more than 34% of organizations have had accounting and financial data targeted by cyber criminals.
EO 14028 is leaving many vendors scrabbling to get SBOMs together in time. However, this doesn't mean that those who don't supply to the White House are off the hook when it comes to SBOMs.
Do You Need SBOMs If You're Not Vending To The White House?
The largest economy in the world is, of course, a trend setter. Even if it wasn't, the rest of the world is equally concerned about software supply chain security (SSCS).
The former European Network and Information Security Agency (ENISA), which is now called the European Union Agency for Cybersecurity, has already published similar guidelines to EO 14028 with the EU Cybersecurity Act. Yet, it's not just world governments that are concerned about open-source software risk.
The market cost of cyber crime is set to reach USD 10.5 trillion by 2025, according to Cybercrime Magazine. As such, business customers will likely soon be demanding software bills of materials (SBOMs) from their vendors.
It's no wonder that a Statista survey showed that 59% of over 500 organizations around the world are working to add intelligence to their existing software security tools, such as SBOMs. Those that aren't doing so are likely to be left behind by their competitors as customers choose vendors that can prove their cyber security with an SBOM.