Understanding the NSA’s latest guidance on managing OSS and SBOMs
Software supply chain security continues to be a critical topic to the cybersecurity and software industry, and for good reason — from continued attacks against large software vendors to attackers’ malicious focus on the open-source software ecosystem by attackers it is front and center for most CISOs and security practitioners. Luckily, organizations continue to produce solid guidance to help practitioners mitigate software supply chain risks. The latest publication, “Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bills of Material,” comes from the US National Security Agency (NSA).
It also builds on previous publications such as the White House Cybersecurity Executive Order (EO) and memos and forthcoming requirements for Federal agencies, such as the Office of Management and Budget’s (OMB) memos 22-18 and 23-16, which require software suppliers selling to the US federal government to self-attest to aligning with publications such as the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF) and even providing SBOMs in some cases.
While the NSA guidance points to previous publications from the White House, NIST, and OMB, this publication is relevant to all organizations producing and consuming software, leveraging OSS, and looking to embrace artifacts such as SBOMs. Here are some of the key areas of the guidance, including recommendations and takeaways from the document.
Structure of the NSA guidance on SBOMs
The NSA guidance focuses on four key areas, as outlined in the table below, and aligned with their respective SSDF Activities. (Area 1 is omitted as it is simply an introduction):
Courtesy of the US National Security Agency
US National Security Agency
Open-source software management
This section of the NSA guidance defines key roles and responsibilities for developers and suppliers, among others. It notes that developers have responsibilities such as identifying potential OSS solutions to use and integrating OSS solutions into product software, as well as tracking updates to those components. Suppliers are those producing a product or service and performing activities such as monitoring for license changes or vulnerabilities of OSS components included in products, due to the risks they could pass on to downstream consumers.
The NSA lays out primary considerations for using OSS, such as evaluating OSS components for vulnerabilities in sources such as the NVD and other vulnerability databases and ensuring that vulnerable components aren’t being included in products. It also recommends organizations remain aware of licensing considerations such as license compliance, as well as export controls, such as the evolving EU regulations which may impact the incorporation of OSS into products.
