CISA targets software identification in push to boost supply chain security

The Cybersecurity and Infrastructure Security Agency on Thursday issued a request for comment on how to create a more harmonized system of software identification as part of a larger effort to make the software supply chain more secure. 

Since President Joe Biden issued an executive order on improving cybersecurity in 2021, CISA and other federal agencies have been working to prioritize software security by improving vulnerability management and the use of software bill of materials (SBOMs). 

The request for comment is designed to establish some uniform parameters to track critical information required to improve software security. Information on known vulnerabilities, what mitigations or security patches are available, and which software is approved for use are all part of the effort, according a white paper released by CISA. 

“A more robust software identifier ecosystem must be established for a harmonized software identification ecosystem that facilitates greater automation, inventory visibility, and the multifaceted value proposition of SBOM’s broad adoption,” Sandy Radesky, associate director for vulnerability management at CISA, said in a statement.

CISA is seeking comments on several key issues, including the following: 

  • Requirements for an effective software identification ecosystem.
  • The merits and challenges of available identifier formats.
  • The viability of a system based on inherent or defined identifiers.
  • The need for a central authority or other body for a software identifier ecosystem. 

The agency is working with experts from the Homeland Security Systems Engineering and Development Institute to identify important elements of such a system. 

All comments must be received by Dec. 11. 

Federal authorities also want to create a global authority that will establish common rules and assign responsibilities related to software identification. 

“Without a shared understanding around how to identify each piece of software, it is impossible to have SBOMs or vulnerability details that can be exchanged in an automated way,” Brian Fox, co-founder and CTO of Sonatype, said via email. “Can you imagine the chaos of food labels if each vendor had their own name for sugar?”