EO 14028 – NTIA Publishes SBOM Request for Comments

Today, the DOC’s National Telecommunications and Information Administration (NTIA) published a notice in the Federal Register (86 FR 29568-29571) requesting public comments on “Software Bill of Materials Elements and Considerations”. This action is being taken in support of the requirements of EO 14028 for NTIA to “publish minimum elements for an SBOM” {§4(f)}.

NTIA Background

NTIA has been working on the SBOM issue since before their first public meeting on the topic on July 19th, 2018. Their web site “Software Transparency” chronicles the public work the Agency has been sponsoring on the topic and their “Software Bill of Materials” page provides links to a number of documents on the topic.

SBOM Components

Today’s request for comments outlines the current thought of NTIA on what should constitute a SBOM. This includes a potential list of Data Fields to be included in a SBOM and a discussion of the operational considerations that need to be addressed by the end product. The notice also briefly discusses the automation support required for an effective SBOM process and the three existing data standards for sharing SBOM information.

Request for Comments

The NTIA is soliciting public comments on what an SBOM process should look like. They are specifically looking for answers to the following questions:

• Are the elements described above, including data fields, operational considerations, and support for automation, sufficient?

• Are there additional use cases that can further inform the elements of SBOM?

NTIA is also looking for feedback on the following issues:

• Software identity,

• Software as a service,

• Legacy and binary-only software,

• Integrity and authenticity

Additional topics that commentors might want to address are:

• Threat model,

• High assurance use cases,

• Delivery,

• Depth,

• Vulnerabilities,

• Risk management, and

• Flexibility of implementation

Public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #210527-0117). Due to the short response requirements of EO 14028, NTIA is requesting that comments be submitted by June 17th, 2021.

Commentary

The Executive Order gives NTIA 60-days to “publish minimum elements for an SBOM”. This is an incredibly short period of time to establish such a critical piece of cybersecurity methodology. From the list of information that NTIA is requesting here, I believe that they may be over-thinking the requirement that the President has laid upon them.

Section 4(f) only requires that NTIA publish the ‘minimum elements’ for an SBOM, not establish the complete SBOM ecosystem. I think that they have pretty effectively done that in their listing of the ‘data fields’ in today’s notice. The rest of the topics for which NTIA is also soliciting comments today are important points for discussion about establishing a robust SBOM process, but that was not the President’s mandate.

One point that is not discussed here (and again was not part of the presidential mandate) that needs to be discussed before any SBOM process becomes operational is the information sharing aspect of the SBOM. Let’s face it, and SBOM is going to provide an adversary with a software blueprint that will help guide the development of an attack process. Any discussion of an effective SBOM process is going to have to address how widely the detailed information in an SBOM is shared.