Integrating SBOMs and Risk for Enhanced Cybersecurity Management

I’ve noticed that conversations on Software Bills of Materials (SBOMS) generally discuss what they are, their value, and issues around their generation. However, I haven’t seen or heard much evidence that SBOMS are incorporated into operational processes. It's important to realize that SBOMs can be a valuable tool in managing cybersecurity risk, and they don’t have to be used mutually exclusively for existing cybersecurity processes.  

In a recent conversation with Dmitry Raidman, CTO of Cybeats, the term RiskOps came up. RiskOps is a condensed version of "Risk Operations" and indicates the fusion of risk management and operations management methodologies. The central objective is to recognize, appraise, and reduce potential risks linked to business operations, aiming to minimize losses and enhance operational productivity. This includes various activities such as scrutinizing risks, reporting on them, monitoring them, and devising plans to diminish their impact. The ultimate purpose of RiskOps is to provide organizations with the knowledge and tools to make informed decisions about their operations and to be better prepared to handle risks as they arise.

In the world of cybersecurity, the Risk Management Framework (RMF) is a seven-step process under the Federal Information Security Modernization Act (FISMA) that helps organizations manage risks associated with information technology. NIST SP 800-37r2 identifies potential inputs for each task, like information about supply chains, assets, systems and system elements, system component inventories, and risk determinations.

Unfortunately, neither the phrases “software bill of materials” nor “SBOM” appear within the text of the guidance provided by NIST.  As a result, a majority of cybersecurity practitioners are unfamiliar with SBOMs or the value they bring to the RMF process.  

An SBOM is a missing link that provides an actionable definition for the concept of “supply chain information” concerning the trustworthiness and verifiability of software provenance. Using SBOMs to feed the RMF process is an excellent example of leveraging SBOMs to support RiskOps.

By incorporating SBOM data into the various operations management processes like supply chain risk management, asset management, vulnerability management, and defensive cyberspace operations, the inputs to the RMF tasks are more richly detailed with software provenance information, allowing for potential security vulnerabilities and indicators of risk to be identified and mitigated.

And there, we come full circle to the term RiskOps.  I don’t expect the term to get much traction. Still, I hope the SBOM and RMF communities become more familiar with each other and leverage existing business processes to enhance cybersecurity.

‍