The National Security Agency has released recommendations and best practices for utilizing software bills of materials, or SBOM, to mitigate risks associated with the U.S. software supply chain.
The new document suggests that network owners and operators examine and manage risk before acquiring software, analyze vulnerabilities after deploying new software and implement incident management to detect and respond to vulnerabilities, the NSA said on Thursday.
“Network owners and operators we work with count on NSA to advise them on shoring up their defenses. These guidelines provide the information they need to select the appropriate tools to reduce an organization’s overall risk exposure,” said two-time Wash100 Award winner Rob Joyce, who serves as cybersecurity director at NSA and deputy national manager for the National Security System (NSS).
Recommendations in the document were derived from research and evaluation of various SBOM management tools through a collaborative effort by the Office of the National Manager for NSS and other NSA units. These guidelines are designed to help users incorporate SBOM management functions that align with a Cybersecurity Supply Chain Risk Management strategy.
