Senior decision-makers come together to connect around strategies and business trends affecting utilities.


Software Consumer Guidance: How to implement SBOM for Executive Order 14028

image credit: IEEE
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,482 items added with 630,454 views
  • Feb 14, 2022

Guidance for government agencies describing “how to” meet the requirements of Cybersecurity Executive Order (EO) 14028 is provided, largely by NIST. The “bible” for this guidance is found in NIST SP 800-161 R2, Appendix F (due for final release shortly). On February 4, 2022 NIST published guidance for software vendors to comply with EO 14028, which presents some early insight as to what guidance might be contained in the final version of NIST SP 800-161 for government agencies to follow.

Energy Central has been at the forefront of helping companies understand Software Bill of Materials (SBOM) and its critical role in software risk assessments for EO 14028, following the guidance provided in Appendix F of NIST 800-161 (final version due shortly from NIST). The following guidance is being provided to answer the question “What should a government agency do to satisfy EO 14028 requirements, per NIST SP 800-161, Appendix F”.

  1. Read the May 12, 2021 Cybersecurity Executive Order 14028, paying close attention to section 4 requirements
  2. Get a baseline understanding of SBOM.
  3. Learn how to perform a software supply chain risk assessment using SBOM from this Energy Central Powersession video.
  4. Follow Energy Central guidance for software consumers of SBOM
    1. Ask your vendor to provide an SBOM for a product and version which you intend to install
    2. Request the software vendor to provide an NTIA compliant SBOM format, SPDX or CycloneDX and file format, i.e. JSON, XML (CycloneDX) or Tag/Value (SPDX)
    3. Request the vendor use open-source, free to use solutions to provide access to all of the evidence data needed for a risk assessment, including a link to a SBOM vulnerability report that answers the question: “What is the vulnerability status of product P, version V from Supplier S at time(NOW) at the SBOM component level?” Think of this as a “CARFAX” report for a software product, listing all of the known defects and their status at any point in time.
  5. Identify solution providers and services to help with EO 14028 section 4 software supply chain risk assessment implementation, following the approach used by the Department of Health and Human Services, Centers for Medicare and Medicaid
  6. Carefully evaluate each vendor offering following NIST Guidance to ensure that all required attestations are provided by a vendor and prepare a pilot implementation with a cooperative software vendor that implements NTIA compliant SBOM’s and provides vulnerability reports with each SBOM. An open source vendor response file format may be used by a software vendor to communicate attestation materials to a software consumer. This will ensure that this NIST guidance is followed: "This is especially true for post-release practices such as vulnerability disclosure and response, where processes might not yet have been performed for the latest release." Get the SBOM VDR "CARFAX for SBOM" from each vendor
  7.  Read NIST SP 800-161 R2 Appendix F and use it as an EO 14028 compliance checklist for your pilot implementation.
  8. Perform the pilot project implementation, documenting the process throughout. Look for areas of improvement and refine the process until you are confident the that process is repeatably successful.  
  9. Follow the repeatable process on each software product that meets the critical software criteria released by NIST, used in your digital ecosystem.
Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »