In May 2021, an Executive Order was issued on Improving the Nation’s Critical Infrastructure (EO 14028). The U.S. government’s current directives are necessary to improve critical infrastructure cybersecurity and to address complex multidimensional cybersecurity challenges affecting the world. Two common themes emerge across these initiatives—the need to expand public/private partnerships and the need to improve transparency and information sharing. At Cisco, we’re ready for the challenge.
Transparency and Executive Order 14028
Trust in technology is being undermined by a lack of software transparency. Recent cybersecurity attacks highlight the complexities of the software supply chain, as well as the lack of visibility into cascading risks accepted when operating today’s software. More transparency is needed. The Software Bill of Materials (SBOM), a machine-readable list of metadata describing the components from which software is built, can help provide this transparency. We support the industry’s adoption of SBOMs.
A clear directive and market incentive for SBOMs has been instigated by Executive Order 14028. The National Telecommunications Information Administration’s (NTIA) RFC on SBOM Elements and Considerations outlines the current state of SBOMs. Cisco’s published position statement on SBOMs describes what we hope to accomplish as we continue to engage in industry efforts to mature SBOM adoption.
Now is the time for the community to lean in and help build out next generation transparency. Delivering SBOMs at scale to the U.S. government and other customers requires:
- Agreement between suppliers and consumers as to how much information should be disclosed in an SBOM, and integration of these requirements into contract language
- Community-driven, consensus-based international industry standards to be defined for machine-readable SBOM production, sharing and consumption
- Tooling to remove manual processes and enable transparency automation throughout the software development life cycle and complete Value Chain
- Awareness and adoption of these standards and technologies to ensure use of SBOMs
- Communication from SBOM consumers to demonstrate value and provide feedback on their utility.
There remains a significant amount of collaborative work ahead of us. The good news is that we’re off to a good start:
- Two standards have emerged to express the data format of an SBOM in a machine-readable manner: SPDX version 2.2 has been recognized by ISO as an international standard ISO/IEC 5962:2021 and CycloneDX has been adopted by OWASP
- IETF has drafted a standard for Discovering and Retrieving Software Transparency and Vulnerability Information
- The US NTIA multistakeholder group has published a large body of work to create awareness and adoption of SBOMs
- Cisco continues to participate in plugfests, docfests, hackathons, and proof-of-concept engagements to learn, improve tooling, and understand our customers’ needs.
Plus, we’re also looking to partner with others in the SBOM ecosystem.
As you move forward on your response to Executive Order 14028, we encourage you to consider the following two questions.
- How are you adopting SBOMs in your organization?
- What’s your biggest priority as SBOMs gain traction?
Cisco’s support of Executive Order 14028
In the blog Cisco Stands Ready, my colleague Peter Romness highlighted how Cisco can immediately support the federal government requirements set out in Sections III and V of Executive Order 14028. In response to Section IV, we responded to the NTIA’s SBOM RFC, participated in NIST’s call for position papers and workshop on Enhancing Software Supply Chain Security, and provided feedback on NIST’s Security Measures for “EO-Critical Software” Use. We support Critical Software Security.
Eric Wenger recently discussed how Cisco Responds to Biden Administration Critical Infrastructure Cybersecurity Memorandum. And we’re ready to serve as a “plank holder” in CISA’s recently announced Joint Cyber Defense Collaborative. We look forward to continuing to collaborate with our federal government partners as they respond to the Executive Order.
And remember, our team of cybersecurity experts at Cisco are here to help you with any questions you may have about transparency and how to efficiently approach the Executive Order. We encourage you to join the conversation below or reach out to us directly.