NIST and CISA have taken important steps to help secure the software supply chain as prescribed be the May 12, 2021 Cybersecurity Executive Order, 14028. Modern guidelines for software supply chain protections were issued by NIST on February 4, 2022 to implement more effective measures to detect and mitigate software supply chain risk. Using this new guidance a software consumer will be able to answer the question at any moment in time and receive a rapid risk assessment: "What is the vulnerability status of product P, version V from Supplier S at time(t) at the SBOM component level?"

This excerpt from the NIST guidance issued on 2/4 provide a clear understanding of the intent of this guidance:

This document provides recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development throughout the software life cycle. These recommendations are intended to help federal agencies get the information they need from software producers in a form they can use to make risk-based decisions about procuring software. These recommendations address all items within Section 4e from a software purchaser (federal agency) viewpoint. They involve software producers indicating conformity with secure software development practices as part their internal processes by providing artifacts to federal agency purchasers and/or attesting to conformity.

The scope of this guidance is limited to federal agency procurement of software, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. The location of the implemented software, such as on-premises or cloud-hosted, is irrelevant.

These guidelines provide a powerful capability that genuinely helps software consumers manage risks whenever new, dangerous, vulnerabilities, like Log4j, are reported.

REA filed the following comments to NATF recommending adoption of these 2/4/2022 NIST best practices to improve software supply chain security and risk management:

COMMENTS FILED WITH NATF on 2/7/2022

On behalf of Reliable Energy Analytics, LLC (REA) I’m pleased to submit these comments in response to the Annual Supply Chain Criteria and Questionnaire Revision Process Underway, with a deadline of 2/18/2022.

REA thanks the NATF for the opportunity to provide these comments for your consideration.

BACKGROUND

REA has extensive experience with NIST C-SCRM and NTIA SBOM best practices based on NTIA SBOM guidelines, NIST SP 800-161, the NIST Cybersecurity Framework version 1.1 and the NIST SP 800-53 series of standards, since 2018. REA has been actively engaged in the development of software supply chain risk management solutions since November, 2018 in support of Federal Regulatory Commission (FERC) Order 850 (18 CFR Part 40): Supply Chain Risk Management Reliability Standards, for the Electric industry. REA’s experiences and contributions to the development of NTIA SBOM and NIST C-SCRM (SP 800-161 R2 Appendix F) standards was provided via the following activities:

• Participant in NTIA Software Transparency Initiative since 2020
• Participant in CISA SBOM initiative since 2021
• Group member NIST sw.assurance initiative, (NIST group responsible for SP 800-161) since 2020; Comments were filed with NIST for Appendix F enhancements
• Active member Linux Foundation NTIA SPDX SBOM Technical Team, since 2021
• Active member CISA ICT_SCRM Task Force, small and medium business work group since 2021 and author of the open-source SBOM Vulnerability Disclosure Report
• Participant in Linux Foundation DocFest NTIA SPDX SBOM interoperability testbeds
• Design, development and release of the Software Assurance Guardian Point Man (SAG-PM ™) risk assessment application, a NIST C-SCRM and NTIA SBOM solution for Executive Order 14028 following NIST SP 800-161 Appendix F, has been commercially available since 2021 and now stands at version 1.1.8

REA is a longtime supporter of the NATF Security Assessment Model and has publicly written on this topic: https://energycentral.com/c/gr/implementing-natf-supply-chain-assessment-model

REA continues to be engaged in the development of electric industry standards and cybersecurity best practices through participation in NPCC TFIST.

COMMENTS

Solarwinds acutely raised awareness to the real threats and risks that can impact any organization that uses software in their operations. Software supply chain attacks are very effective and efficient, with the ability to exploit a trusted software vendor and can rapidly affect, potentially 1000’s of customers. This stark reality has prompted the U.S. Government to take swift steps to secure the software supply chain, starting with the issuance of Cybersecurity Executive Order (EO) 14028 on May 12, 2021. This order requires federal entities to require software vendors to provide greater transparency into their cybersecurity and software development practices, software compositions and vulnerability reporting practices, including attestations by a software vendor of their adherence to these required practices.

One February 4, 2022 the National Institute of Standards and Technology (NIST) issued explicit guidance for federal agencies to implement software supply chain best practices to satisfy EO 14028 requirements. This guidance is intended to help federal agencies secure the software supply chain by requiring greater transparency through the issuance of SBOM’s and Vulnerability Disclosures for each delivered software package.

It is conceivable that some government operated utility entities, i.e. BPA and TVA, could be subject to meeting Executive Order 14028 requirements in addition to NERC/FERC regulations. REA recommends that NATF consider incorporating the February 4, 2022 guidance offered by NIST, by requiring SBOM’s, Vulnerability Reporting and vendor attestations along with NIST SP 800-161 R2 Appendix F guidelines to ensure the use of best practices for software supply chain cybersecurity across the Electric industry.

An example of how to align with the best practices prescribed by NIST for software supply chain requirements under Executive Order 14028  is provided by REA’s open-source Vendor Response File (VRF) and Vulnerability Disclosure Report attestation solutions that are used to communicate required evidence data for EO 14028 compliance.

• Example Vendor Response File (VRF) for EO 14028: https://github.com/rjb4standards/REA-Products/blob/master/SAGVendorResponseSAMPLE.xml
• Example Vulnerability Disclosure Report (SBOM VDR) for EO 14028: https://github.com/rjb4standards/REA-Products/blob/master/SAGVulnDisclosureSAMPLE.xml
• An overview of REA’s SAG-PM™ software product that implements NIST C-SCRM guidelines to meet EO 14028 requirements is available here: https://reliableenergyanalytics.com/products

            REA thanks the NATF for the opportunity to submit these comments.