I’ve noticed that conversations on Software Bills of Materials (SBOMS) generally discuss what they are, their value, and issues around their generation. However, I haven’t seen or heard much evidence that SBOMS are incorporated into operational processes. It's important to realize that SBOMs can be a valuable tool in managing cybersecurity risk, and they don’t have to be used mutually exclusively for existing cybersecurity processes.
In a recent conversation with Dmitry Raidman, CTO of Cybeats, the term RiskOps came up. RiskOps is a condensed version of "Risk Operations" and indicates the fusion of risk management and operations management methodologies. The central objective is to recognize, appraise, and reduce potential risks linked to business operations, aiming to minimize losses and enhance operational productivity. This includes various activities such as scrutinizing risks, reporting on them, monitoring them, and devising plans to diminish their impact. The ultimate purpose of RiskOps is to provide organizations with the knowledge and tools to make informed decisions about their operations and to be better prepared to handle risks as they arise.
In the world of cybersecurity, the Risk Management Framework (RMF) is a seven-step process under the Federal Information Security Modernization Act (FISMA) that helps organizations manage risks associated with information technology. NIST SP 800-37r2 identifies potential inputs for each task, like information about supply chains, assets, systems and system elements, system component inventories, and risk determinations.
Unfortunately, neither the phrases “software bill of materials” nor “SBOM” appear within the text of the guidance provided by NIST. As a result, a majority of cybersecurity practitioners are unfamiliar with SBOMs or the value they bring to the RMF process.
An SBOM is a missing link that provides an actionable definition for the concept of “supply chain information” concerning the trustworthiness and verifiability of software provenance. Using SBOMs to feed the RMF process is an excellent example of leveraging SBOMs to support RiskOps.
By incorporating SBOM data into the various operations management processes like supply chain risk management, asset management, vulnerability management, and defensive cyberspace operations, the inputs to the RMF tasks are more richly detailed with software provenance information, allowing for potential security vulnerabilities and indicators of risk to be identified and mitigated.
And there, we come full circle to the term RiskOps. I don’t expect the term to get much traction. Still, I hope the SBOM and RMF communities become more familiar with each other and leverage existing business processes to enhance cybersecurity.
March 19, 2024
Tern is an open source software composition analysis and SBOM generation tool that generates SBOMs from container images. However, upon running this tool and generating a CycloneDX SBOM, a problem arose.
Read More →March 4, 2024
As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, "Recommendation 4B: Promote Supply Chain
Read More →December 15, 2023
Notably, the Health Information Sharing and Analysis Center (Health-ISAC) is entering into a partnership with Cybeats, a leading software supply chain intelligence company, marking a substantial advancement in healthcare cybersecurity.
Read More →