CISA Seeks Public Input for Supply Chain Security Improvements
The Cybersecurity and Infrastructure Security Agency (CISA) recently took a significant step in bolstering software supply chain security by issuing a formal request for public input.
The agency wants to create a more unified system for software identification to track essential information, including known vulnerabilities, available security patches and approved software.
The “Software Identification Ecosystem Option Analysis” white paper presents six potential paths along with benefits, challenges and community or authority structures that would be needed to develop and sustain the identifier format ecosystem.
It also offers potential software identifier formats that appear to be the most promising as starting points, which are offered as starting points to refine the merits of various operational models.
In the request for feedback, the CISA said it is particularly interested in insights regarding the requirements for an efficient software identification ecosystem, the merits and challenges of identifier formats and the potential role of a central authority.
The move aligns with the broader efforts initiated after president Joe Biden’s 2021 executive order aimed at enhancing cybersecurity.
All interested parties have until December 11 to provide their comments. Additionally, federal authorities are considering the establishment of a global authority to set common rules and assign responsibilities related to software identification.
John Gallagher, vice president of Viakoo Labs at Viakoo, said having a more standardized process for identifying what vulnerabilities exist in a software package benefits both software producers and consumers.
“In both cases, the training and implementation can be more streamlined, and it enables skilled workers to be trained and certified around its use,” he explained. “The objective here is to propose a standard for how software components within a package are identified and presented for use in threat detection and vulnerability remediation.”
He notes software bills of materials (SBOMs) are critical to multiple steps in threat detection and vulnerability remediation but are still in the early stages of implementation.
“SBOMs become more mainstream and useful as efforts like this remove the variability of their usage and can help solution providers—such as application-based discovery, threat assessment, mitigation and vulnerability remediation—drive toward more automation in how software vulnerabilities are found and managed,” Gallagher says.
From his perspective, having agreed-upon definitions for software identifiers is a necessary step to address version control and for having automated solutions developed to properly consume and use this information.
However, some of the challenges that may arise are in the wide diversity of products and software applications.
“This effort on software identifiers does not take into consider the differences between cloud-based software and IoT device firmware, let alone the combination of IoT devices and applications that are tied to them,” he said.
Gallagher added that another challenge is how this definition for software identifiers will be implemented with respect to other efforts, specifically the publishing of SBOMs, or the use of the vulnerability exploitability exchange (VEX), which he called “critical initiatives”.
Callie Guenther, senior manager of cyber threat research at Critical Start, said a harmonized system of software identification can profoundly bolster the security of the software supply chain by ensuring traceability of software components, facilitating swift threat mitigation and fostering consistent communication among stakeholders.
“The primary objective is to foster trust and resilience in the cybersecurity landscape,” she said. SBOMs are paramount to this, providing transparency into software components, aiding in efficient vulnerability management, and streamlining security patching processes.”
Guenther said for an effective software identification ecosystem, timely availability of identifiers and a balance between precision and grouping are crucial.
“However, challenges like widespread adoption, compatibility with existing systems and managing the sheer diversity of software loom large,” she said.
She explained while a central authority for the software identifier ecosystem can provide needed standardization and act as an arbiter in disputes, risks include potential bureaucracy slowing response times and the vulnerability of a centralized system.
“CISA’s call for community input is a positive move, ensuring diverse views shape the final solution, but it’s essential to not only gather but also integrate this feedback effectively,” Guenther noted.