The National Security Agency has updated its software bill of materials for its IT partners and agencies.
The updated SBOM will provide companies with guidelines for better managing vulnerability disclosures and patches.
"The dramatic increase in cyber compromises over the past five years, specifically of software supply chains, prompted intense scrutiny of measures to strengthen the resilience of supply chains for software used throughout government and critical infrastructure," the NSA said in rolling out the new requirements.
The new SBOM will emphasize basic security principles including patch management, authentication of software being used, and incident management when a compromise or zero day flaw is detected.
The idea is to provide government agencies with a better footing for flaws and patch management.
Additionally, the updated bill will place further requirements on companies that contract with the US government in regards for addressing vulnerabilities.
"Software developers must take ownership of their customers’ security outcomes rather than treating each product as if it carries an implicit caveat emptor," the NDA said.
The exposure of vulnerabilities and the ability to address them has only become more prevalent in recent years. With supply chains opening up and suppliers becoming more open to attack, securing the middle ground is more important than ever.
“As Software Bills of Materials become more integral to Cybersecurity Supply Chain Risk Management standards, best practices will become critical to ensuring efficiency and reliability of the software supply chain," NSA cybersecurity director Rob Joyce said in a statement provided to The Stack.
"Network owners and operators we work with count on NSA to advise them on shoring up their defenses."
In practice, this means companies have to do more to secure the stack and address the middle ground between the supplier and the end consumer.
