Multistakeholder Process on Promoting Software Component Transparency, 26434-26436 [2018-12261]
Download as PDF
<![CDATA[
26434
Federal Register / Vol. 83, No. 110 / Thursday, June 7, 2018 / Notices
Dated: June 4, 2018.
Jennifer M. Wallace,
Acting Director, Office of Sustainable
Fisheries, National Marine Fisheries Service.
4. August 21, 2018, 9 a.m.–5 p.m.,
DoubleTree Hotel, 1702 Seawall
Boulevard, Galveston, TX 77550.
5. September 5, 2018, 9 a.m.–5 p.m.,
Hilton Garden Inn, 1101 US Highway
231, Panama City, FL 32405.
6. September 19, 2018, 9 a.m.–5 p.m.,
Hilton Garden Inn, 1 Thurber Street,
Warwick, RI 02886.
[FR Doc. 2018–12275 Filed 6–6–18; 8:45 am]
Registration
National Telecommunications and
Information Administration
To register for a scheduled Safe
Handling, Release, and Identification
Workshop, please contact Angler
Conservation Education at (386) 682–
0158. Pre-registration is highly
recommended, but not required.
National Telecommunications
and Information Administration, U.S.
Department of Commerce.
ACTION: Notice of Open Meeting.
AGENCY:
To ensure that workshop certificates
are linked to the correct permits,
participants will need to bring the
following specific items with them to
the workshop:
• Individual vessel owners must
bring a copy of the appropriate
swordfish and/or shark permit(s), a copy
of the vessel registration or
documentation, and proof of
identification.
• Representatives of a businessowned or co-owned vessel must bring
proof that the individual is an agent of
the business (such as articles of
incorporation), a copy of the applicable
swordfish and/or shark permit(s), and
proof of identification.
• Vessel operators must bring proof of
identification.
sradovich on DSK3GMQ082PROD with NOTICES
Workshop Objectives
The Safe Handling, Release, and
Identification Workshops are designed
to teach longline and gillnet fishermen
the required techniques for the safe
handling and release of entangled and/
or hooked protected species, such as sea
turtles, marine mammals, and
smalltooth sawfish, and prohibited
sharks. In an effort to improve reporting,
the proper identification of protected
species and prohibited sharks will also
be taught at these workshops.
Additionally, individuals attending
these workshops will gain a better
understanding of the requirements for
participating in these fisheries. The
overall goal of these workshops is to
provide participants with the skills
needed to reduce the mortality of
protected species and prohibited sharks,
which may prevent additional
regulations on these fisheries in the
future.
VerDate Sep<11>2014
17:19 Jun 06, 2018
Jkt 244001
DEPARTMENT OF COMMERCE
Multistakeholder Process on
Promoting Software Component
Transparency
Registration Materials
Authority: 16 U.S.C. 1801 et seq.
BILLING CODE 3510–22–P
The National
Telecommunications and Information
Administration (NTIA) will convene
meetings of a multistakeholder process
on promoting software component
transparency. This Notice announces
the first meeting, which is scheduled for
July 19, 2018.
DATES: The meeting will be held on July
19, 2018, from 10:00 a.m. to 4:00 p.m.,
Eastern Daylight Time.
ADDRESSES: The meeting will be held at
the American Institute of Architects,
1735 New York Ave. NW, Washington,
DC 20006.
FOR FURTHER INFORMATION CONTACT:
Allan Friedman, National
Telecommunications and Information
Administration, U.S. Department of
Commerce, 1401 Constitution Avenue
NW, Room 4725, Washington, DC
20230; telephone: (202) 482–4281;
email: afriedman@ntia.doc.gov. Please
direct media inquiries to NTIA’s Office
of Public Affairs: (202) 482–7002; email:
press@ntia.doc.gov.
SUPPLEMENTARY INFORMATION:
Background: Since 2015, the National
Telecommunications and Information
Administration has sought public
comment on several matters around
information and cyber policy and
security, the Internet of Things (IoT),
and the health of the digital ecosystem.
In 2015, NTIA issued a Request for
Comment to ‘‘identify substantive
cybersecurity issues that affect the
digital ecosystem and digital economic
growth where broad consensus,
coordinated action, and the
development of best practices could
substantially improve security for
organizations and consumers.’’ 1 In a
SUMMARY:
1 U.S. Department of Commerce, internet Policy
Task Force, Request for Public Comment,
Stakeholder Engagement on Cybersecurity in the
PO 00000
Frm 00025
Fmt 4703
Sfmt 4703
separate but related matter in April
2016, NTIA, along with the
Department’s internet Policy Task
Force, sought comments on the
‘‘benefits, challenges, and potential
roles for the government in fostering the
advancement of the Internet of
Things.’’ 2 Lastly, as part of Executive
Order 13800, NTIA requested comments
on ‘‘Promoting Stakeholder Action
Against Botnets and Other Automated
Threats.’’ 3
Several themes emerged from these
three public consultations. Many
stakeholders emphasized the
importance of community-led,
consensus-driven, and risk-based
solutions to address information
security challenges, highlighting the
role NTIA should play in convening
multistakeholder processes. In the
digital ecosystem, particular challenges
were identified: Understanding and
handling vulnerability information,
addressing the insecurities in the
growing IoT marketplace, and fostering
a secure development lifecycle. NTIA
has convened two multistakeholder
processes to address these policy and
market challenges. The first focused on
how to promote collaboration around
communicating vulnerability
information, and the second helped
vendors and consumers understand
policy and market concerns related to
patching vulnerabilities.
The next initiative will focus on
promoting software component
transparency. Stakeholders will engage
in an open and transparent process to
explore the benefits and any potential
risks of greater transparency. They may
focus on incentives and barriers to
adoption of transparency practices. The
scope could include policy and
international components.
Transparency-driven solutions need not
be prescriptive or regulatory, and can
accommodate an ecosystem without a
one-size-fits-all approach. The goal of
this initiative is to foster a market that
Digital Ecosystem, 80 FR 14360, Docket No.
150312253–5253–01 (Mar. 19, 2015), available at:
https://www.ntia.doc.gov/files/ntia/publications/
cybersecurity_rfc_03192015.pdf.
2 U.S. Department of Commerce, internet Policy
Task Force, Request for Public Comment, Benefits,
Challenges, and Potential Roles for the Government
in Fostering the Advancement of the Internet of
Things, 81 FR 19956, Docket No 160331306–6306–
01 (Apr. 5, 2016), available at: https://
www.ntia.doc.gov/federal-register-notice/2016/rfcpotential-roles-government-fostering-advancementinternet-of-things.
3 U.S. Department of Commerce, internet Policy
Task Force, Request for Public Comment, Promoting
Stakeholder Action Against Botnets and Other
Automated Threats, 82 FR 27042, Docket No.
170602536–7536–01 (Mar. 19, 2015), available at:
https://www.ntia.doc.gov/files/ntia/publications/frntia-cyber-eo-rfc-06132017.pdf.
E:\FR\FM\07JNN1.SGM
07JNN1
Federal Register / Vol. 83, No. 110 / Thursday, June 7, 2018 / Notices
sradovich on DSK3GMQ082PROD with NOTICES
offers greater transparency on software
components.
Most modern software is not written
completely from scratch, but includes
existing components, modules, and
libraries from the open source and
commercial software world. Modern
development practices such as code
reuse, and a dynamic IT marketplace
with acquisitions and mergers, make it
challenging to track the use of software
components. The Internet of Things
compounds this phenomenon, as new
organizations, enterprises and
innovators take on the role of software
developer to add ‘‘smart’’ features or
connectivity to their products. While
the majority of libraries and components
do not have known vulnerabilities,
many do, and the sheer quantity of
software means that some software
products ship with vulnerable or out-ofdate components. Many technical
solutions to aid in this have already
been developed by industry and the
standards community.
Vendors and developers also would
find software component data useful.
Cataloging the inputs to a software
product is recognized as an important
part of a secure development life cycle.4
Indeed, many organizations have
developed internal processes to capture
and manage this data for security
purposes. Many others do so to manage
licensing issues around third-party
software components and intellectual
property rights. Communicating
information about the underlying
components can be a strong security
signifier, while still protecting the
valuable intellectual property and
source code in software and devices.
The importance of transparency in
information security is widely
recognized, and the notion of
transparency around components of
software and connected devices is not
new. Academics identified the potential
value of a ‘‘software bill of materials’’ as
far back as 1995,5 and there are a
growing number of commercial
solutions for security, licensing, and
asset management. The International
Standards Organization (ISO) first
standardized software identification
4 The Software Assurance Forum for Excellence
in Code (SAFECode), an industry consortium, has
released a report on third party components that
cites a range of standards. Managing Security Risks
Inherent in the Use of Third-party Components,
SAFECode (May 2017), available at https://
www.safecode.org/wp-content/uploads/2017/05/
SAFECode_TPC_Whitepaper.pdf.
5 Leblang D.B., Levine P.H., Software
configuration management: Why is it needed and
what should it do? In: Estublier J. (eds) Software
Configuration Management Lecture Notes in
Computer Science, vol. 1005, Springer, Berlin,
Heidelberg (1995).
VerDate Sep<11>2014
17:19 Jun 06, 2018
Jkt 244001
(SWID) tags in 2009.6 In 2015, NIST
published Guidelines for the Creation of
Interoperable Software Identification
(SWID) Tags,7 and their use has been
slowly increasing. The open source
community has also developed the
Software Package Data Exchange.8 This
process will explore successful
examples of use, and market barriers to
increased adoption. From the
perspective of the enterprise customer,
it is hard to defend what one does not
know. Transparency itself is not
sufficient; the data must be useful and
actionable. Understanding what is on an
enterprise network is a key part of a
security program. Having data about
software components allows the
enterprise customer to better understand
the risks of potentially vulnerable
software and devices.
Any conversation around
transparency must include a discussion
of the needs of the diverse set of
enterprise software users. Data about the
underlying code can help both the
customer and the vendor. It should be
incorporated into a security-mature
organization’s existing vulnerability
management solutions, and can help
foster further innovation. Having access
to this data can help organizations
mitigate concerns around orphaned
devices and products, and lower the
risks of investing in new products by
increasing capabilities to deal with
future security issues.
NTIA will act as the convener, but
stakeholders will drive the outcomes.
Stakeholders will determine how to
scope and organize the work through
subgroups or other means. Success of
the process will be evaluated by the
extent to which broader findings on
software component transparency are
implemented across the ecosystem.
This multistakeholder process is not a
standards development process and will
not supplant ongoing standards efforts
or discussions. NTIA will frame the
initial conversation around the policy
and market considerations for greater
software component transparency. NTIA
encourages cross-sector participation as
this will help to prevent sector-specific
solutions that could fragment the
marketplace. NTIA encourages
discussion of approaches and
6 ISO/IEC 19770 ‘‘Software Identification Tag,’’
originally published in 2009, updated in 2015,
https://www.iso.org/standard/65666.html.
7 U.S. Department of Commerce, Guidelines for
the Creation of Interoperable Software Identification
(SWID) Tags, National Institute of Standards and
Technology Internal Report 8060 (Dec. 2015),
available at: https://csrc.nist.gov/csrc/media/
publications/nistir/8060/final/documents/nistir_
8060_draft_fourth.pdf.
8 More information on the Software Package Data
Exchange project is available at https://spdx.org.
PO 00000
Frm 00026
Fmt 4703
Sfmt 4703
26435
considerations from diverse sectors such
as the medical device community,
where the applicability of a ‘‘bill of
materials’’ has garnered increased
discussion and interest.9 This approach
can promote a more efficient and
adaptive marketplace for new products.
Matters to Be Considered: The July 19,
2018, meeting will be the first in a series
of NTIA-convened multistakeholder
discussions on promoting software
component transparency. Subsequent
meetings will follow on a schedule
determined by those participating in the
first meeting. Stakeholders will engage
in an open, transparent, and consensusdriven process to understand the range
of issues involved. The
multistakeholder process will involve
hearing and understanding the
perspectives of diverse stakeholders,
explicitly sharing the perspectives of a
range of software and IoT vendors and
enterprise customers from across the
digital economy.
The July 19, 2018, meeting is
intended to bring stakeholders together
to share the range of views on software
component transparency, and to
establish more concrete goals and
structure of the process. The objectives
of this first meeting are to: (1) Share the
perspectives and concerns of both the
vendor and enterprise customer
communities; (2) discuss and
acknowledge what is already working;
(3) explore obstacles and challenges for
greater transparency and better risk
decisions; (4) identify promising areas
of potential collaboration; (5) engage
stakeholders in a discussion of logistical
issues, including internal structures
such as a small drafting committee or
various working groups, and the
location and frequency of future
meetings; and (6) identify concrete goals
and stakeholder work following the first
meeting. These topics could include,
but are in no way limited to, an
inventory of existing statutory, policy,
regulatory, and market efforts to
increase software component
transparency; identification of
incentives and disincentives for market
adoption of approaches for software
component transparency; exploration of
statutory, policy, and regulatory
activities that may inhibit adoption;
accessible high-level guidance for
strategic decision-makers; and review of
international approaches to understand
statutory, policy, and regulatory
environments to understand effects on
market adoption.
The main objective of further
meetings will be to encourage and
facilitate continued discussion among
stakeholders to map the range of issues,
and develop a consensus view for some
E:\FR\FM\07JNN1.SGM
07JNN1
sradovich on DSK3GMQ082PROD with NOTICES
26436
Federal Register / Vol. 83, No. 110 / Thursday, June 7, 2018 / Notices
determined aspects of transparency.
This discussion may include the
appropriate scope of the initiative and
circulation of stakeholder-developed
drafts. Stakeholders may also agree on
procedural work plans for the group,
including additional meetings or
modified logistics for future meetings.
NTIA suggests that stakeholders
consider setting clear deadlines for
working drafts and a phase for external
review of such drafts, before
reconvening to take account of external
feedback.
More information about stakeholders’
work will be available at: https://
www.ntia.doc.gov/other-publication/
2018/SoftwareTransparency.
Time and Date: NTIA will convene
the first meeting of the multistakeholder
process on Software Component
Transparency on July 19, 2018, from
10:00 a.m. to 4:00 p.m. Eastern Daylight
Time. Please refer to NTIA’s website,
https://www.ntia.doc.gov/otherpublication/2018/Software
Transparency, for the most current
information.
Place: The meeting will be held at the
American Institute of Architects, 1735
New York Ave. NW, Washington, DC
20006. The location of the meeting is
subject to change. Please refer to NTIA’s
website, https://www.ntia.doc.gov/
other-publication/2018/Software
Transparency, for the most current
information.
Other Information: The meeting is
open to the public and the press on a
first-come, first-served basis. Space is
limited.
The meeting is physically accessible
to people with disabilities. Requests for
sign language interpretation or other
auxiliary aids should be directed to
Allan Friedman at (202) 482–4281 or
afriedman@ntia.doc.gov at least seven
(7) business days prior to each meeting.
The meetings will also be webcast.
Requests for real-time captioning of the
webcast or other auxiliary aids should
be directed to Allan Friedman at (202)
482–4281 or afriedman@ntia.doc.gov at
least seven (7) business days prior to
each meeting. There will be an
opportunity for stakeholders viewing
the webcast to participate remotely in
the meetings through a moderated
conference bridge, including polling
functionality. Access details for the
meetings are subject to change. Please
refer to NTIA’s website, https://
www.ntia.doc.gov/other-publication/
2018/SoftwareTransparency, for the
most current information.
VerDate Sep<11>2014
17:19 Jun 06, 2018
Jkt 244001
Dated: June 4, 2018.
David J. Redl,
Assistant Secretary for Communication and
Information, National Telecommunications
and Information Administration.
[FR Doc. 2018–12261 Filed 6–6–18; 8:45 am]
BILLING CODE 3510–60–P
COMMODITY FUTURES TRADING
COMMISSION
Agency Information Collection
Activities: Notice of Intent To Renew
Collection 3038–0093, Part 40,
Provisions Common to Registered
Entities
Commodity Futures Trading
Commission.
ACTION: Notice.
AGENCY:
The Commodity Futures
Trading Commission (‘‘Commission’’ or
‘‘CFTC’’) is announcing an opportunity
for public comment on the proposed
collection of certain information by the
agency. Under the Paperwork Reduction
Act (‘‘PRA’’), Federal agencies are
required to publish notice in the
Federal Register concerning each
proposed collection of information,
including each proposed extension of an
existing collection, and to allow 60 days
for public comment. This notice solicits
comments on collections of information
provided for by Part 40, Provisions
Common to Registered Entities.
DATES: Comments must be submitted on
or before August 6, 2018.
ADDRESSES: You may submit comments,
identified by OMB Control No. 3038–
0093 by any of the following methods:
• The Agency’s website, at https://
comments.cftc.gov/. Follow the
instructions for submitting comments
through the website.
• Mail: Christopher Kirkpatrick,
Secretary of the Commission,
Commodity Futures Trading
Commission, Three Lafayette Centre,
1155 21st Street NW, Washington, DC
20581.
• Hand Delivery/Courier: Same as
Mail above.
Please submit your comments using
only one method and identify that it is
for the renewal of Collection Number
3038–0093.
All comments must be submitted in
English, or if not, accompanied by an
English translation. Comments will be
posted as received to https://
www.cftc.gov. You should submit only
information that you wish to make
available publicly. If you wish the
Commission to consider information
that you believe is exempt from
disclosure under the Freedom of
SUMMARY:
PO 00000
Frm 00027
Fmt 4703
Sfmt 4703
Information Act, a petition for
confidential treatment of the exempt
information may be submitted according
to the procedures established in § 145.9
of the Commission’s regulations.1
The Commission reserves the right,
but shall have no obligation, to review,
pre-screen, filter, redact, refuse or
remove any or all of your submission
from https://www.cftc.gov that it may
deem to be inappropriate for
publication, such as obscene language.
All submissions that have been redacted
or removed that contain comments on
the merits of the Information Collection
Request will be retained in the public
comment file and will be considered as
required under the Administrative
Procedure Act and other applicable
laws, and may be accessible under the
Freedom of Information Act.
FOR FURTHER INFORMATION CONTACT: Lois
J. Gregory, Associate Director, Division
of Market Oversight, Commodity
Futures Trading Commission, (202)
418–5092; email: lgregory@cftc.gov.
SUPPLEMENTARY INFORMATION: Under the
PRA, 44 U.S.C. 3501 et seq., Federal
agencies must obtain approval from the
Office of Management and Budget
(OMB) for each collection of
information they conduct or sponsor.
‘‘Collection of Information’’ is defined
in 44 U.S.C. 3502(3) and 5 CFR 1320.3
and includes agency requests or
requirements that members of the public
submit reports, keep records, or provide
information to a third party. Section
3506(c)(2)(A) of the PRA, 44 U.S.C.
3506(c)(2)(A), requires Federal agencies
to provide a 60-day notice in the
Federal Register concerning each
proposed collection of information
before submitting the collection to OMB
for approval. To comply with this
requirement, the CFTC is publishing
notice of the proposed collection of
information listed below.
Title: Part 40, Provisions Common to
Registered Entities (OMB Control No.
3038–0093). This is a request for
extension of a currently approved
information collection.
Abstract: This collection of
information involves the collection and
submission to the Commission of
information from registered entities
concerning new products, rules, and
rule amendments pursuant to the
procedures outlined in §§ 40.2, 40.3,
40.5, 40.6, and 40.10 found in 17 CFR
part 40.
With respect to the collection of
information, the CFTC invites
comments on:
• Whether the proposed collection of
information is necessary for the proper
1
17 CFR 145.9.
E:\FR\FM\07JNN1.SGM
07JNN1
]]>Agencies
[Federal Register Volume 83, Number 110 (Thursday, June 7, 2018)]
[Notices]
[Pages 26434-26436]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-12261]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
Multistakeholder Process on Promoting Software Component
Transparency
AGENCY: National Telecommunications and Information Administration,
U.S. Department of Commerce.
ACTION: Notice of Open Meeting.
-----------------------------------------------------------------------
SUMMARY: The National Telecommunications and Information Administration
(NTIA) will convene meetings of a multistakeholder process on promoting
software component transparency. This Notice announces the first
meeting, which is scheduled for July 19, 2018.
DATES: The meeting will be held on July 19, 2018, from 10:00 a.m. to
4:00 p.m., Eastern Daylight Time.
ADDRESSES: The meeting will be held at the American Institute of
Architects, 1735 New York Ave. NW, Washington, DC 20006.
FOR FURTHER INFORMATION CONTACT: Allan Friedman, National
Telecommunications and Information Administration, U.S. Department of
Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230;
telephone: (202) 482-4281; email: [email protected]. Please direct
media inquiries to NTIA's Office of Public Affairs: (202) 482-7002;
email: [email protected].
SUPPLEMENTARY INFORMATION:
Background: Since 2015, the National Telecommunications and
Information Administration has sought public comment on several matters
around information and cyber policy and security, the Internet of
Things (IoT), and the health of the digital ecosystem. In 2015, NTIA
issued a Request for Comment to ``identify substantive cybersecurity
issues that affect the digital ecosystem and digital economic growth
where broad consensus, coordinated action, and the development of best
practices could substantially improve security for organizations and
consumers.'' \1\ In a separate but related matter in April 2016, NTIA,
along with the Department's internet Policy Task Force, sought comments
on the ``benefits, challenges, and potential roles for the government
in fostering the advancement of the Internet of Things.'' \2\ Lastly,
as part of Executive Order 13800, NTIA requested comments on
``Promoting Stakeholder Action Against Botnets and Other Automated
Threats.'' \3\
---------------------------------------------------------------------------
\1\ U.S. Department of Commerce, internet Policy Task Force,
Request for Public Comment, Stakeholder Engagement on Cybersecurity
in the Digital Ecosystem, 80 FR 14360, Docket No. 150312253-5253-01
(Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/cybersecurity_rfc_03192015.pdf.
\2\ U.S. Department of Commerce, internet Policy Task Force,
Request for Public Comment, Benefits, Challenges, and Potential
Roles for the Government in Fostering the Advancement of the
Internet of Things, 81 FR 19956, Docket No 160331306-6306-01 (Apr.
5, 2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/rfc-potential-roles-government-fostering-advancement-internet-of-things.
\3\ U.S. Department of Commerce, internet Policy Task Force,
Request for Public Comment, Promoting Stakeholder Action Against
Botnets and Other Automated Threats, 82 FR 27042, Docket No.
170602536-7536-01 (Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/fr-ntia-cyber-eo-rfc-06132017.pdf.
---------------------------------------------------------------------------
Several themes emerged from these three public consultations. Many
stakeholders emphasized the importance of community-led, consensus-
driven, and risk-based solutions to address information security
challenges, highlighting the role NTIA should play in convening
multistakeholder processes. In the digital ecosystem, particular
challenges were identified: Understanding and handling vulnerability
information, addressing the insecurities in the growing IoT
marketplace, and fostering a secure development lifecycle. NTIA has
convened two multistakeholder processes to address these policy and
market challenges. The first focused on how to promote collaboration
around communicating vulnerability information, and the second helped
vendors and consumers understand policy and market concerns related to
patching vulnerabilities.
The next initiative will focus on promoting software component
transparency. Stakeholders will engage in an open and transparent
process to explore the benefits and any potential risks of greater
transparency. They may focus on incentives and barriers to adoption of
transparency practices. The scope could include policy and
international components. Transparency-driven solutions need not be
prescriptive or regulatory, and can accommodate an ecosystem without a
one-size-fits-all approach. The goal of this initiative is to foster a
market that
[[Page 26435]]
offers greater transparency on software components.
Most modern software is not written completely from scratch, but
includes existing components, modules, and libraries from the open
source and commercial software world. Modern development practices such
as code reuse, and a dynamic IT marketplace with acquisitions and
mergers, make it challenging to track the use of software components.
The Internet of Things compounds this phenomenon, as new organizations,
enterprises and innovators take on the role of software developer to
add ``smart'' features or connectivity to their products. While the
majority of libraries and components do not have known vulnerabilities,
many do, and the sheer quantity of software means that some software
products ship with vulnerable or out-of-date components. Many technical
solutions to aid in this have already been developed by industry and
the standards community.
Vendors and developers also would find software component data
useful. Cataloging the inputs to a software product is recognized as an
important part of a secure development life cycle.\4\ Indeed, many
organizations have developed internal processes to capture and manage
this data for security purposes. Many others do so to manage licensing
issues around third-party software components and intellectual property
rights. Communicating information about the underlying components can
be a strong security signifier, while still protecting the valuable
intellectual property and source code in software and devices.
---------------------------------------------------------------------------
\4\ The Software Assurance Forum for Excellence in Code
(SAFECode), an industry consortium, has released a report on third
party components that cites a range of standards. Managing Security
Risks Inherent in the Use of Third-party Components, SAFECode (May
2017), available at https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf.
---------------------------------------------------------------------------
The importance of transparency in information security is widely
recognized, and the notion of transparency around components of
software and connected devices is not new. Academics identified the
potential value of a ``software bill of materials'' as far back as
1995,\5\ and there are a growing number of commercial solutions for
security, licensing, and asset management. The International Standards
Organization (ISO) first standardized software identification (SWID)
tags in 2009.\6\ In 2015, NIST published Guidelines for the Creation of
Interoperable Software Identification (SWID) Tags,\7\ and their use has
been slowly increasing. The open source community has also developed
the Software Package Data Exchange.\8\ This process will explore
successful examples of use, and market barriers to increased adoption.
From the perspective of the enterprise customer, it is hard to defend
what one does not know. Transparency itself is not sufficient; the data
must be useful and actionable. Understanding what is on an enterprise
network is a key part of a security program. Having data about software
components allows the enterprise customer to better understand the
risks of potentially vulnerable software and devices.
---------------------------------------------------------------------------
\5\ Leblang D.B., Levine P.H., Software configuration
management: Why is it needed and what should it do? In: Estublier J.
(eds) Software Configuration Management Lecture Notes in Computer
Science, vol. 1005, Springer, Berlin, Heidelberg (1995).
\6\ ISO/IEC 19770 ``Software Identification Tag,'' originally
published in 2009, updated in 2015, https://www.iso.org/standard/65666.html.
\7\ U.S. Department of Commerce, Guidelines for the Creation of
Interoperable Software Identification (SWID) Tags, National
Institute of Standards and Technology Internal Report 8060 (Dec.
2015), available at: https://csrc.nist.gov/csrc/media/publications/nistir/8060/final/documents/nistir_8060_draft_fourth.pdf.
\8\ More information on the Software Package Data Exchange
project is available at https://spdx.org.
---------------------------------------------------------------------------
Any conversation around transparency must include a discussion of
the needs of the diverse set of enterprise software users. Data about
the underlying code can help both the customer and the vendor. It
should be incorporated into a security-mature organization's existing
vulnerability management solutions, and can help foster further
innovation. Having access to this data can help organizations mitigate
concerns around orphaned devices and products, and lower the risks of
investing in new products by increasing capabilities to deal with
future security issues.
NTIA will act as the convener, but stakeholders will drive the
outcomes. Stakeholders will determine how to scope and organize the
work through subgroups or other means. Success of the process will be
evaluated by the extent to which broader findings on software component
transparency are implemented across the ecosystem.
This multistakeholder process is not a standards development
process and will not supplant ongoing standards efforts or discussions.
NTIA will frame the initial conversation around the policy and market
considerations for greater software component transparency. NTIA
encourages cross-sector participation as this will help to prevent
sector-specific solutions that could fragment the marketplace. NTIA
encourages discussion of approaches and considerations from diverse
sectors such as the medical device community, where the applicability
of a ``bill of materials'' has garnered increased discussion and
interest.\9\ This approach can promote a more efficient and adaptive
marketplace for new products.
Matters to Be Considered: The July 19, 2018, meeting will be the
first in a series of NTIA-convened multistakeholder discussions on
promoting software component transparency. Subsequent meetings will
follow on a schedule determined by those participating in the first
meeting. Stakeholders will engage in an open, transparent, and
consensus-driven process to understand the range of issues involved.
The multistakeholder process will involve hearing and understanding the
perspectives of diverse stakeholders, explicitly sharing the
perspectives of a range of software and IoT vendors and enterprise
customers from across the digital economy.
The July 19, 2018, meeting is intended to bring stakeholders
together to share the range of views on software component
transparency, and to establish more concrete goals and structure of the
process. The objectives of this first meeting are to: (1) Share the
perspectives and concerns of both the vendor and enterprise customer
communities; (2) discuss and acknowledge what is already working; (3)
explore obstacles and challenges for greater transparency and better
risk decisions; (4) identify promising areas of potential
collaboration; (5) engage stakeholders in a discussion of logistical
issues, including internal structures such as a small drafting
committee or various working groups, and the location and frequency of
future meetings; and (6) identify concrete goals and stakeholder work
following the first meeting. These topics could include, but are in no
way limited to, an inventory of existing statutory, policy, regulatory,
and market efforts to increase software component transparency;
identification of incentives and disincentives for market adoption of
approaches for software component transparency; exploration of
statutory, policy, and regulatory activities that may inhibit adoption;
accessible high-level guidance for strategic decision-makers; and
review of international approaches to understand statutory, policy, and
regulatory environments to understand effects on market adoption.
The main objective of further meetings will be to encourage and
facilitate continued discussion among stakeholders to map the range of
issues, and develop a consensus view for some
[[Page 26436]]
determined aspects of transparency. This discussion may include the
appropriate scope of the initiative and circulation of stakeholder-
developed drafts. Stakeholders may also agree on procedural work plans
for the group, including additional meetings or modified logistics for
future meetings. NTIA suggests that stakeholders consider setting clear
deadlines for working drafts and a phase for external review of such
drafts, before reconvening to take account of external feedback.
More information about stakeholders' work will be available at:
https://www.ntia.doc.gov/other-publication/2018/SoftwareTransparency.
Time and Date: NTIA will convene the first meeting of the
multistakeholder process on Software Component Transparency on July 19,
2018, from 10:00 a.m. to 4:00 p.m. Eastern Daylight Time. Please refer
to NTIA's website, https://www.ntia.doc.gov/other-publication/2018/SoftwareTransparency, for the most current information.
Place: The meeting will be held at the American Institute of
Architects, 1735 New York Ave. NW, Washington, DC 20006. The location
of the meeting is subject to change. Please refer to NTIA's website,
https://www.ntia.doc.gov/other-publication/2018/SoftwareTransparency,
for the most current information.
Other Information: The meeting is open to the public and the press
on a first-come, first-served basis. Space is limited.
The meeting is physically accessible to people with disabilities.
Requests for sign language interpretation or other auxiliary aids
should be directed to Allan Friedman at (202) 482-4281 or
[email protected] at least seven (7) business days prior to each
meeting. The meetings will also be webcast. Requests for real-time
captioning of the webcast or other auxiliary aids should be directed to
Allan Friedman at (202) 482-4281 or [email protected] at least
seven (7) business days prior to each meeting. There will be an
opportunity for stakeholders viewing the webcast to participate
remotely in the meetings through a moderated conference bridge,
including polling functionality. Access details for the meetings are
subject to change. Please refer to NTIA's website, https://www.ntia.doc.gov/other-publication/2018/SoftwareTransparency, for the
most current information.
Dated: June 4, 2018.
David J. Redl,
Assistant Secretary for Communication and Information, National
Telecommunications and Information Administration.
[FR Doc. 2018-12261 Filed 6-6-18; 8:45 am]
BILLING CODE 3510-60-P
