National Cybersecurity Strategy Implementation Plan (NCSIP) - Doubling Down on SBOM’s

We recently saw the publication of the National Cybersecurity Strategy Implementation Plan (NCSIP), which lays out how the U.S. Federal government, in collaboration with other stakeholders, intends to implement the broad and ambitious U.S. National Cybersecurity Strategy that was published earlier this year. 

It lays out various strategic objectives and associated initiatives which I have covered in-depth in a previous article of Resilient Cyber. Among those are the continued push to “Shift Liability for Insecure Software and Services” which is Strategic Objective 3.3. Among that Strategic Objective are initiatives related to continuing the push for the concept of a software liability framework and advancing efforts around SBOM’s to mitigate the risk of unsupported software and address longstanding information asymmetries between software suppliers and downstream consumers. 

This combination of initiatives brings a focus on both commercial software suppliers as well as the use of unsupported and vulnerable software components in U.S. critical infrastructure, the latter of which has increasingly been under attack by malicious actors such as China and Russia. 

This is an obvious attempt to continue the momentum built up under SBOM efforts by groups such as the NTIA and now CISA, as well as sources such as the U.S. Cybersecurity Executive Order (EO) 14028. Among the support for SBOM is language to help address gaps in SBOM scale and implementation as well as explore the potential for a globally-accessible database for end-of-life/end-of-support software, as well as an international staff-level working group for SBOM’s. 

We know from various reports that outdated, unpatched and unmaintained OSS usage is pervasive across many IT/OT systems, including in the critical infrastructure sectors. Continuing the support for SBOM’s will help bring transparency and visibility to the pervasiveness of those components and enable organizations to work to address them to mitigate risk. 

For organizations concerned with the growing calls for a software liability framework, they will want to make efforts now to address transparency gaps with their customers and consumers and produce artifacts such as SBOM’s to show the components in their products and any associated vulnerabilities, especially if they are reachable and exploitable. This will best position organizations to take advantage of emerging safe harbor provisions that protect organizations from liability when they are following requirements such as providing SBOM’s and self-attestations around secure software development. 

While we’ve got a long way to go on the topic of SBOM’s, software transparency, software liability and safe harbor, the NCSIP is another sign on the journey of major national governments such as the U.S. and E.U. are intent on driving software transparency and address software supply chain insecurities. Software suppliers should work now to position themselves to meet these requirements, rather than waiting when they’re upon them and being demanded by customers or regulators. 

‍