What is a NIST SBOM Vulnerability Disclosure Report (VDR)

On May 5, 2022 NIST published its recommendations to satisfy the Cyber Security Executive Order, 14028, issued May 12, 2021. NIST was assigned the authority to produce specific cybersecurity guidance by the Executive Order (EO).

People have been asking, what does a NIST SBOM VDR contain and how is it used. This article answers these questions, based on the materials provided by NIST Standards, following the ISO/IEC 29147:2018 Vulnerability Disclosure Standard, and Guidelines for Executive Order 14028.

NIST has produced several guiding recommendation documents to help Software Vendors and Software Consumers implement the requirements outlined in EO 14028. Let’s start by reviewing the EO requirements that NIST was tasked with addressing, which included multiple software supply chain policies and practices, but only two of the items listed under EO 14028 Section 4(e) pertain to software vulnerability reporting by vendors:

(iv)    employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release;
 (v)     providing, when requested by a purchaser, artifacts of the execution of the tools and processes described in subsection (e)(iii) and (iv) of this section, and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated;

These mandates led to the publication of NIST publication SP 800-161 Revision 1 and NIST’s Executive Order 14028 Website recommendations and Secure Software Development Attestations. These publications cover many topics, but this article focuses only on one of those topics, the recommendations for SBOM Vulnerability Disclosure Reports (VDR). It all starts with the requirement for software vendors to produce attestations about their software supply chain practices, based on the NIST Secure Software Development Framework (SSDF). A VDR is an attestation, per NIST recommendations (ref bullet 2) by a software vendor showing that each component in a software product SBOM has been checked for vulnerabilities prior to release of the product. This description is a summary based on “connecting the dots” across the various NIST documents on this topic, starting with requirement to provide attestations related to the NIST Secure Software Development Framework (SSDF), SP 800-161 R1 and materials on NIST EO 14028 guidelines pertaining to vulnerability disclosure reporting:

Examples of enhanced attestation capabilities include:

• Supplier certifications, site visits, and/or third-party assessment and attestation
• Higher frequency and/or continuous monitoring of supplier adherence to attestation commitments
• Collection and review of lower-level artifacts, including functional and technical security controls
• Higher fidelity SBOMs, including vendor vulnerability disclosure reports at the component level

AND this reference:

2. Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle. With the highly dynamic nature of software today, attesting to how things were and are done on an ongoing basis (processes and procedures) is typically more valuable than attesting to how things were done for a specific software release generated by one instance of those processes. This is especially true for post-release practices such as vulnerability disclosure and response, where processes might not yet have been performed for the latest release.

NIST does not prescribe the format for attestation artifacts, but guidance is provided on the information that needs to be included in such attestations. With regard to the contents of a NIST Vulnerability Disclosure Report, clear guidelines are provided in SP 800-161 R1 requirement RA-5 (search the document for RA-5):

RA-5 VULNERABILITY MONITORING AND SCANNING

Supplemental C-SCRM Guidance: Vulnerability monitoring should cover suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers in the enterprise’s supply chain. This includes employing data collection tools to maintain a continuous state of awareness about potential vulnerability to suppliers, as well as the information systems, system components, and raw inputs that they provide through the cybersecurity supply chain. Vulnerability monitoring activities should take place at all three levels of the enterprise. Scoping vulnerability monitoring activities requires enterprises to consider suppliers as well as their sub-suppliers. Enterprises, where applicable and appropriate, may consider providing customers with a Vulnerability Disclosure Report (VDR) to demonstrate proper and complete vulnerability assessments for components listed in SBOMs. The VDR should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component or product. The VDR should also contain information on plans to address the CVE. Enterprises should consider publishing the VDR within a secure portal available to customers and signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature and associated VDR. Enterprises should also consider establishing a separate notification channel for customers in cases where vulnerabilities arise that are not disclosed in the VDR. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.

NIST VDR is an implementation of the IEC standard for vulnerability disclosure to stakeholders IEC 29147:2018.

The recommendation by NIST to provide software consumers with a NIST VDR is gaining traction as a best practice. The latest version of the SPDX SBOM standard, version 2.3, includes provisions (K.1.9) enabling a software vendor to associate a specific SBOM document for a software product with its online NIST VDR attestation for that product, which is linked within the SBOM. The link refers to a “living” SBOM VDR document that is updated by a software vendor, whenever new vulnerabilities are reported. The OWASP CycloneDX SBOM standard also supports NIST VDR documents and the CycloneDX VEX format. Having this “always updated NIST VDR” available enables software consumers to answer the question “What is the vulnerability status of my software product from Vendor V, as of NOW?”, providing consumers with on-going, up-to-date visibility into the risks that may be present in an installed software product, as new vulnerabilities (CVE's) are being reported/released.

As stated previously, NIST did not prescribe a format for a NIST VDR attestation, but guidance is provided on what data a VDR includes. Reliable Energy Analytics (REA) has produced an open-source “interpretation” of what a NIST VDR contains in order to meet EO 14028, which is available here in an XML Schema format with samples provided in XML and JSON formats. An alternative and equally effective VDR representation is also available from OWASP CycloneDX SBOM VDR version 1.4

In summary, a NIST Vulnerability Disclosure Report (VDR) is an attestation by a software vendor showing that the vendor has checked each component of a software product SBOM for vulnerabilities and reports on the details of any vulnerabilities reported by a NIST NVD search. The VDR is a living document which the software vendor updates as needed when new vulnerabilities have been discovered and reported to communicate the vulnerability status of their product, in accordance with the international standard for communicating vulnerability disclosures, IEC 29147:2018. A VDR is published whenever a software vendor issues a new or updated SBOM, including initial product release, making it available online, all the time, to all customers of the product described in the VDR. This gives software consumers that ability to answer the question “What is the vulnerability status of my software product from Vendor V, as of NOW?”.