Supply chains face known and unknown risks. IT organizations are especially susceptible to supply chain risk as it often uses many open source products in the acquisition and development of their software. We need a structured approach for cybersecurity supply chain risk management. A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components.
The Executive Order (EO) on Improving the Nation’s Cybersecurity released on May 12, 2021 acknowledges the increasing number of software security risks throughout the supply chain. This EO mandates that Federal departments and agencies (and their suppliers) understand the cybersecurity risks through the software and services that they acquire, deploy, use, and manage from their supply chain (which includes open source software components). Acquired software may need to contain known and unknown vulnerabilities as a result of the product architecture and development life cycle.
In this webinar learn about cybersecurity risk management and governance.
- Identify and document the risks and known vulnerabilities.
- Build a supply-chain risk-management framework.
- Know and manage critical components and suppliers.
- Develop a supplier/vendor software bill of materials, of each binary component that is used in the software, firmware, or product.
- Build a remediation plan for any vulnerable open source materials.
- Institute a governance and monitoring process.