December 11, 2023 NJCCIC Public/Private Sector IT-Security Professional Members, The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and industry partners have released a guide developed by the Enduring Security Framework entitled, Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials (SBOMs). This report provides guidance in line with industry best practices and principles, including managing open source SBOM to maintain and provide awareness about the security of software. Specifically, the report provides more details on Open Source Software (OSS) adoption and the areas to consider when evaluating and deploying an open source component into an existing product development environment including: its composition; process and procedures used when adopting OSS; and management, tracking and distribution of approved software components using an SBOM. OSS is an essential and valuable component in many commercial and public-sector products and services, and collaboration on OSS often enables great cost-savings for participants. However, organizations that do not follow a consistent and secure by design management practice for the OSS they utilize are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident. The Enduring Security Framework is a cross-sector working group that operates under the auspices of Critical Infrastructure Partnership Advisory Council (CIPAC) to address threats and risks to the security and stability of US national security systems. It is comprised of experts from the US government as well as industry representatives from information technology, communications, and the Defense Industrial Base. For more information on CISA’s work in these areas, visit Open Source Software Security and Software Bill of Materials. |