The National Institute of Standards and Technology's update to the Special Publication 800-171 series should include guidance on Software Bill of Materials in regards to how contractors are handling the use of controlled unclassified information held on nonfederal systems, according to recent feedback from the Defense Department and the National Security Agency.
NIST issued a pre-draft call for comments in July asking how organizations are using the 800-171 series and changes to improve usability and implementation. The DOD chief information officer for resources and analysis and NSA Cybersecurity Center Collaboration submitted separate comments last month that mention SBOM in the context of the 2021 cyber executive order.
The 800-171 series provides a tailored approach on how to use NIST’s massive catalog for security and privacy controls, known as Special Publication 800-53, using the moderate baseline and other requirements in Federal Information Processing Standards Publication (FIPS) 200. NIST described 800-53 Rev. 5 as a “complete renovation” to the publication when it was released in September 2020.
The NSA’s CCC recommends adding supply chain risk management controls from 800-53 Rev. 5 and SBOM.
The CCC said in its comments, “Under EO 14028, there is a focus on security and integrity of critical software. The EO calls out software bill of materials as one of the requirements to enhance the security of the software supply chain. We need a whole of government approach to include supporting nonfederal systems and organizations.”
The center continued, “Also, we need greater assurance that baseline products used in nonfederal systems and organizations do not include malicious components that will impact the confidentiality of CUI (e.g. data exfiltration triggered by hidden malicious components that becomes active).”
The DOD CIO office recommends adding a control on provenance, SR-4, when it comes to supply chain risk management from NIST Special Publication 800-161. The control specifically focuses on SBOM.
The control says, “Provenance should be documented for systems, system components, and associated data throughout the [system development life cycle]. Enterprises should consider producing SBOMs for applicable and appropriate classes of software, including purchased software, open source software, and in-house software.”
In SP 800-161, NIST recommends using the National Telecommunications and Information Administration’s “Minimum Elements For a Software Bill of Materials” report to produce an SBOM. The standards agency also directs users to refer back to SBOM guidance on NIST’s cyber EO website.
DOD’s Michele Iversen said in her comments, “A key risk aspect determined from DOD analysis of foreign intelligence entity threat[s] within the supply chain is a lack of supply chain illumination and understanding of supply chain components. Provenance activities, including the enhancements SR (1-4), are necessary to ensure knowledge of the supply chain and to ensure CUI protection.”
Iversen asks NIST to “specifically call out SBOM needs” in the updated 800-171 guidance “for not only a whole-of-government approach, but also to include supporting non-federal systems and organizations.”
Iversen is the DOD CIO’s director of risk assessment and operational integration. DOD’s submission to NIST also included contributions from Dana Mason of the Cybersecurity Maturity Model Certification Program Management Office Working Groups.
The CMMC PMO was moved in February from the under secretary of defense for acquisition and sustainment's office to the office of the DOD CIO. Special Publication 800-171 is foundational to level two of the CMMC program.
The PMO provides recommendations to add controls from 800-161 on establishing an “Information Security Program Plan,” centralized log management, backups, and more.