Multistakeholder Process on Promoting Software Component Transparency, 26434-26436 [2018-12261]

Download as PDF 26434 Federal Register / Vol. 83, No. 110 / Thursday, June 7, 2018 / Notices Dated: June 4, 2018. Jennifer M. Wallace, Acting Director, Office of Sustainable Fisheries, National Marine Fisheries Service. 4. August 21, 2018, 9 a.m.–5 p.m., DoubleTree Hotel, 1702 Seawall Boulevard, Galveston, TX 77550. 5. September 5, 2018, 9 a.m.–5 p.m., Hilton Garden Inn, 1101 US Highway 231, Panama City, FL 32405. 6. September 19, 2018, 9 a.m.–5 p.m., Hilton Garden Inn, 1 Thurber Street, Warwick, RI 02886. [FR Doc. 2018–12275 Filed 6–6–18; 8:45 am] Registration National Telecommunications and Information Administration To register for a scheduled Safe Handling, Release, and Identification Workshop, please contact Angler Conservation Education at (386) 682– 0158. Pre-registration is highly recommended, but not required. National Telecommunications and Information Administration, U.S. Department of Commerce. ACTION: Notice of Open Meeting. AGENCY: To ensure that workshop certificates are linked to the correct permits, participants will need to bring the following specific items with them to the workshop: • Individual vessel owners must bring a copy of the appropriate swordfish and/or shark permit(s), a copy of the vessel registration or documentation, and proof of identification. • Representatives of a businessowned or co-owned vessel must bring proof that the individual is an agent of the business (such as articles of incorporation), a copy of the applicable swordfish and/or shark permit(s), and proof of identification. • Vessel operators must bring proof of identification. sradovich on DSK3GMQ082PROD with NOTICES Workshop Objectives The Safe Handling, Release, and Identification Workshops are designed to teach longline and gillnet fishermen the required techniques for the safe handling and release of entangled and/ or hooked protected species, such as sea turtles, marine mammals, and smalltooth sawfish, and prohibited sharks. In an effort to improve reporting, the proper identification of protected species and prohibited sharks will also be taught at these workshops. Additionally, individuals attending these workshops will gain a better understanding of the requirements for participating in these fisheries. The overall goal of these workshops is to provide participants with the skills needed to reduce the mortality of protected species and prohibited sharks, which may prevent additional regulations on these fisheries in the future. VerDate Sep<11>2014 17:19 Jun 06, 2018 Jkt 244001 DEPARTMENT OF COMMERCE Multistakeholder Process on Promoting Software Component Transparency Registration Materials Authority: 16 U.S.C. 1801 et seq. BILLING CODE 3510–22–P The National Telecommunications and Information Administration (NTIA) will convene meetings of a multistakeholder process on promoting software component transparency. This Notice announces the first meeting, which is scheduled for July 19, 2018. DATES: The meeting will be held on July 19, 2018, from 10:00 a.m. to 4:00 p.m., Eastern Daylight Time. ADDRESSES: The meeting will be held at the American Institute of Architects, 1735 New York Ave. NW, Washington, DC 20006. FOR FURTHER INFORMATION CONTACT: Allan Friedman, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; telephone: (202) 482–4281; email: afriedman@ntia.doc.gov. Please direct media inquiries to NTIA’s Office of Public Affairs: (202) 482–7002; email: press@ntia.doc.gov. SUPPLEMENTARY INFORMATION: Background: Since 2015, the National Telecommunications and Information Administration has sought public comment on several matters around information and cyber policy and security, the Internet of Things (IoT), and the health of the digital ecosystem. In 2015, NTIA issued a Request for Comment to ‘‘identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.’’ 1 In a SUMMARY: 1 U.S. Department of Commerce, internet Policy Task Force, Request for Public Comment, Stakeholder Engagement on Cybersecurity in the PO 00000 Frm 00025 Fmt 4703 Sfmt 4703 separate but related matter in April 2016, NTIA, along with the Department’s internet Policy Task Force, sought comments on the ‘‘benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things.’’ 2 Lastly, as part of Executive Order 13800, NTIA requested comments on ‘‘Promoting Stakeholder Action Against Botnets and Other Automated Threats.’’ 3 Several themes emerged from these three public consultations. Many stakeholders emphasized the importance of community-led, consensus-driven, and risk-based solutions to address information security challenges, highlighting the role NTIA should play in convening multistakeholder processes. In the digital ecosystem, particular challenges were identified: Understanding and handling vulnerability information, addressing the insecurities in the growing IoT marketplace, and fostering a secure development lifecycle. NTIA has convened two multistakeholder processes to address these policy and market challenges. The first focused on how to promote collaboration around communicating vulnerability information, and the second helped vendors and consumers understand policy and market concerns related to patching vulnerabilities. The next initiative will focus on promoting software component transparency. Stakeholders will engage in an open and transparent process to explore the benefits and any potential risks of greater transparency. They may focus on incentives and barriers to adoption of transparency practices. The scope could include policy and international components. Transparency-driven solutions need not be prescriptive or regulatory, and can accommodate an ecosystem without a one-size-fits-all approach. The goal of this initiative is to foster a market that Digital Ecosystem, 80 FR 14360, Docket No. 150312253–5253–01 (Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/ cybersecurity_rfc_03192015.pdf. 2 U.S. Department of Commerce, internet Policy Task Force, Request for Public Comment, Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things, 81 FR 19956, Docket No 160331306–6306– 01 (Apr. 5, 2016), available at: https:// www.ntia.doc.gov/federal-register-notice/2016/rfcpotential-roles-government-fostering-advancementinternet-of-things. 3 U.S. Department of Commerce, internet Policy Task Force, Request for Public Comment, Promoting Stakeholder Action Against Botnets and Other Automated Threats, 82 FR 27042, Docket No. 170602536–7536–01 (Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/frntia-cyber-eo-rfc-06132017.pdf. E:\FR\FM\07JNN1.SGM 07JNN1 Federal Register / Vol. 83, No. 110 / Thursday, June 7, 2018 / Notices sradovich on DSK3GMQ082PROD with NOTICES offers greater transparency on software components. Most modern software is not written completely from scratch, but includes existing components, modules, and libraries from the open source and commercial software world. Modern development practices such as code reuse, and a dynamic IT marketplace with acquisitions and mergers, make it challenging to track the use of software components. The Internet of Things compounds this phenomenon, as new organizations, enterprises and innovators take on the role of software developer to add ‘‘smart’’ features or connectivity to their products. While the majority of libraries and components do not have known vulnerabilities, many do, and the sheer quantity of software means that some software products ship with vulnerable or out-ofdate components. Many technical solutions to aid in this have already been developed by industry and the standards community. Vendors and developers also would find software component data useful. Cataloging the inputs to a software product is recognized as an important part of a secure development life cycle.4 Indeed, many organizations have developed internal processes to capture and manage this data for security purposes. Many others do so to manage licensing issues around third-party software components and intellectual property rights. Communicating information about the underlying components can be a strong security signifier, while still protecting the valuable intellectual property and source code in software and devices. The importance of transparency in information security is widely recognized, and the notion of transparency around components of software and connected devices is not new. Academics identified the potential value of a ‘‘software bill of materials’’ as far back as 1995,5 and there are a growing number of commercial solutions for security, licensing, and asset management. The International Standards Organization (ISO) first standardized software identification 4 The Software Assurance Forum for Excellence in Code (SAFECode), an industry consortium, has released a report on third party components that cites a range of standards. Managing Security Risks Inherent in the Use of Third-party Components, SAFECode (May 2017), available at https:// www.safecode.org/wp-content/uploads/2017/05/ SAFECode_TPC_Whitepaper.pdf. 5 Leblang D.B., Levine P.H., Software configuration management: Why is it needed and what should it do? In: Estublier J. (eds) Software Configuration Management Lecture Notes in Computer Science, vol. 1005, Springer, Berlin, Heidelberg (1995). VerDate Sep<11>2014 17:19 Jun 06, 2018 Jkt 244001 (SWID) tags in 2009.6 In 2015, NIST published Guidelines for the Creation of Interoperable Software Identification (SWID) Tags,7 and their use has been slowly increasing. The open source community has also developed the Software Package Data Exchange.8 This process will explore successful examples of use, and market barriers to increased adoption. From the perspective of the enterprise customer, it is hard to defend what one does not know. Transparency itself is not sufficient; the data must be useful and actionable. Understanding what is on an enterprise network is a key part of a security program. Having data about software components allows the enterprise customer to better understand the risks of potentially vulnerable software and devices. Any conversation around transparency must include a discussion of the needs of the diverse set of enterprise software users. Data about the underlying code can help both the customer and the vendor. It should be incorporated into a security-mature organization’s existing vulnerability management solutions, and can help foster further innovation. Having access to this data can help organizations mitigate concerns around orphaned devices and products, and lower the risks of investing in new products by increasing capabilities to deal with future security issues. NTIA will act as the convener, but stakeholders will drive the outcomes. Stakeholders will determine how to scope and organize the work through subgroups or other means. Success of the process will be evaluated by the extent to which broader findings on software component transparency are implemented across the ecosystem. This multistakeholder process is not a standards development process and will not supplant ongoing standards efforts or discussions. NTIA will frame the initial conversation around the policy and market considerations for greater software component transparency. NTIA encourages cross-sector participation as this will help to prevent sector-specific solutions that could fragment the marketplace. NTIA encourages discussion of approaches and 6 ISO/IEC 19770 ‘‘Software Identification Tag,’’ originally published in 2009, updated in 2015, https://www.iso.org/standard/65666.html. 7 U.S. Department of Commerce, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags, National Institute of Standards and Technology Internal Report 8060 (Dec. 2015), available at: https://csrc.nist.gov/csrc/media/ publications/nistir/8060/final/documents/nistir_ 8060_draft_fourth.pdf. 8 More information on the Software Package Data Exchange project is available at https://spdx.org. PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 26435 considerations from diverse sectors such as the medical device community, where the applicability of a ‘‘bill of materials’’ has garnered increased discussion and interest.9 This approach can promote a more efficient and adaptive marketplace for new products. Matters to Be Considered: The July 19, 2018, meeting will be the first in a series of NTIA-convened multistakeholder discussions on promoting software component transparency. Subsequent meetings will follow on a schedule determined by those participating in the first meeting. Stakeholders will engage in an open, transparent, and consensusdriven process to understand the range of issues involved. The multistakeholder process will involve hearing and understanding the perspectives of diverse stakeholders, explicitly sharing the perspectives of a range of software and IoT vendors and enterprise customers from across the digital economy. The July 19, 2018, meeting is intended to bring stakeholders together to share the range of views on software component transparency, and to establish more concrete goals and structure of the process. The objectives of this first meeting are to: (1) Share the perspectives and concerns of both the vendor and enterprise customer communities; (2) discuss and acknowledge what is already working; (3) explore obstacles and challenges for greater transparency and better risk decisions; (4) identify promising areas of potential collaboration; (5) engage stakeholders in a discussion of logistical issues, including internal structures such as a small drafting committee or various working groups, and the location and frequency of future meetings; and (6) identify concrete goals and stakeholder work following the first meeting. These topics could include, but are in no way limited to, an inventory of existing statutory, policy, regulatory, and market efforts to increase software component transparency; identification of incentives and disincentives for market adoption of approaches for software component transparency; exploration of statutory, policy, and regulatory activities that may inhibit adoption; accessible high-level guidance for strategic decision-makers; and review of international approaches to understand statutory, policy, and regulatory environments to understand effects on market adoption. The main objective of further meetings will be to encourage and facilitate continued discussion among stakeholders to map the range of issues, and develop a consensus view for some E:\FR\FM\07JNN1.SGM 07JNN1 sradovich on DSK3GMQ082PROD with NOTICES 26436 Federal Register / Vol. 83, No. 110 / Thursday, June 7, 2018 / Notices determined aspects of transparency. This discussion may include the appropriate scope of the initiative and circulation of stakeholder-developed drafts. Stakeholders may also agree on procedural work plans for the group, including additional meetings or modified logistics for future meetings. NTIA suggests that stakeholders consider setting clear deadlines for working drafts and a phase for external review of such drafts, before reconvening to take account of external feedback. More information about stakeholders’ work will be available at: https:// www.ntia.doc.gov/other-publication/ 2018/SoftwareTransparency. Time and Date: NTIA will convene the first meeting of the multistakeholder process on Software Component Transparency on July 19, 2018, from 10:00 a.m. to 4:00 p.m. Eastern Daylight Time. Please refer to NTIA’s website, https://www.ntia.doc.gov/otherpublication/2018/Software Transparency, for the most current information. Place: The meeting will be held at the American Institute of Architects, 1735 New York Ave. NW, Washington, DC 20006. The location of the meeting is subject to change. Please refer to NTIA’s website, https://www.ntia.doc.gov/ other-publication/2018/Software Transparency, for the most current information. Other Information: The meeting is open to the public and the press on a first-come, first-served basis. Space is limited. The meeting is physically accessible to people with disabilities. Requests for sign language interpretation or other auxiliary aids should be directed to Allan Friedman at (202) 482–4281 or afriedman@ntia.doc.gov at least seven (7) business days prior to each meeting. The meetings will also be webcast. Requests for real-time captioning of the webcast or other auxiliary aids should be directed to Allan Friedman at (202) 482–4281 or afriedman@ntia.doc.gov at least seven (7) business days prior to each meeting. There will be an opportunity for stakeholders viewing the webcast to participate remotely in the meetings through a moderated conference bridge, including polling functionality. Access details for the meetings are subject to change. Please refer to NTIA’s website, https:// www.ntia.doc.gov/other-publication/ 2018/SoftwareTransparency, for the most current information. VerDate Sep<11>2014 17:19 Jun 06, 2018 Jkt 244001 Dated: June 4, 2018. David J. Redl, Assistant Secretary for Communication and Information, National Telecommunications and Information Administration. [FR Doc. 2018–12261 Filed 6–6–18; 8:45 am] BILLING CODE 3510–60–P COMMODITY FUTURES TRADING COMMISSION Agency Information Collection Activities: Notice of Intent To Renew Collection 3038–0093, Part 40, Provisions Common to Registered Entities Commodity Futures Trading Commission. ACTION: Notice. AGENCY: The Commodity Futures Trading Commission (‘‘Commission’’ or ‘‘CFTC’’) is announcing an opportunity for public comment on the proposed collection of certain information by the agency. Under the Paperwork Reduction Act (‘‘PRA’’), Federal agencies are required to publish notice in the Federal Register concerning each proposed collection of information, including each proposed extension of an existing collection, and to allow 60 days for public comment. This notice solicits comments on collections of information provided for by Part 40, Provisions Common to Registered Entities. DATES: Comments must be submitted on or before August 6, 2018. ADDRESSES: You may submit comments, identified by OMB Control No. 3038– 0093 by any of the following methods: • The Agency’s website, at http:// comments.cftc.gov/. Follow the instructions for submitting comments through the website. • Mail: Christopher Kirkpatrick, Secretary of the Commission, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. • Hand Delivery/Courier: Same as Mail above. Please submit your comments using only one method and identify that it is for the renewal of Collection Number 3038–0093. All comments must be submitted in English, or if not, accompanied by an English translation. Comments will be posted as received to http:// www.cftc.gov. You should submit only information that you wish to make available publicly. If you wish the Commission to consider information that you believe is exempt from disclosure under the Freedom of SUMMARY: PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 Information Act, a petition for confidential treatment of the exempt information may be submitted according to the procedures established in § 145.9 of the Commission’s regulations.1 The Commission reserves the right, but shall have no obligation, to review, pre-screen, filter, redact, refuse or remove any or all of your submission from http://www.cftc.gov that it may deem to be inappropriate for publication, such as obscene language. All submissions that have been redacted or removed that contain comments on the merits of the Information Collection Request will be retained in the public comment file and will be considered as required under the Administrative Procedure Act and other applicable laws, and may be accessible under the Freedom of Information Act. FOR FURTHER INFORMATION CONTACT: Lois J. Gregory, Associate Director, Division of Market Oversight, Commodity Futures Trading Commission, (202) 418–5092; email: lgregory@cftc.gov. SUPPLEMENTARY INFORMATION: Under the PRA, 44 U.S.C. 3501 et seq., Federal agencies must obtain approval from the Office of Management and Budget (OMB) for each collection of information they conduct or sponsor. ‘‘Collection of Information’’ is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3 and includes agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. Section 3506(c)(2)(A) of the PRA, 44 U.S.C. 3506(c)(2)(A), requires Federal agencies to provide a 60-day notice in the Federal Register concerning each proposed collection of information before submitting the collection to OMB for approval. To comply with this requirement, the CFTC is publishing notice of the proposed collection of information listed below. Title: Part 40, Provisions Common to Registered Entities (OMB Control No. 3038–0093). This is a request for extension of a currently approved information collection. Abstract: This collection of information involves the collection and submission to the Commission of information from registered entities concerning new products, rules, and rule amendments pursuant to the procedures outlined in §§ 40.2, 40.3, 40.5, 40.6, and 40.10 found in 17 CFR part 40. With respect to the collection of information, the CFTC invites comments on: • Whether the proposed collection of information is necessary for the proper 1 17 CFR 145.9. E:\FR\FM\07JNN1.SGM 07JNN1

Agencies

[Federal Register Volume 83, Number 110 (Thursday, June 7, 2018)]
[Notices]
[Pages 26434-26436]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-12261]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration


Multistakeholder Process on Promoting Software Component 
Transparency

AGENCY: National Telecommunications and Information Administration, 
U.S. Department of Commerce.

ACTION: Notice of Open Meeting.

-----------------------------------------------------------------------

SUMMARY: The National Telecommunications and Information Administration 
(NTIA) will convene meetings of a multistakeholder process on promoting 
software component transparency. This Notice announces the first 
meeting, which is scheduled for July 19, 2018.

DATES: The meeting will be held on July 19, 2018, from 10:00 a.m. to 
4:00 p.m., Eastern Daylight Time.

ADDRESSES: The meeting will be held at the American Institute of 
Architects, 1735 New York Ave. NW, Washington, DC 20006.

FOR FURTHER INFORMATION CONTACT: Allan Friedman, National 
Telecommunications and Information Administration, U.S. Department of 
Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; 
telephone: (202) 482-4281; email: [email protected]. Please direct 
media inquiries to NTIA's Office of Public Affairs: (202) 482-7002; 
email: [email protected].

SUPPLEMENTARY INFORMATION: 
    Background: Since 2015, the National Telecommunications and 
Information Administration has sought public comment on several matters 
around information and cyber policy and security, the Internet of 
Things (IoT), and the health of the digital ecosystem. In 2015, NTIA 
issued a Request for Comment to ``identify substantive cybersecurity 
issues that affect the digital ecosystem and digital economic growth 
where broad consensus, coordinated action, and the development of best 
practices could substantially improve security for organizations and 
consumers.'' \1\ In a separate but related matter in April 2016, NTIA, 
along with the Department's internet Policy Task Force, sought comments 
on the ``benefits, challenges, and potential roles for the government 
in fostering the advancement of the Internet of Things.'' \2\ Lastly, 
as part of Executive Order 13800, NTIA requested comments on 
``Promoting Stakeholder Action Against Botnets and Other Automated 
Threats.'' \3\
---------------------------------------------------------------------------

    \1\ U.S. Department of Commerce, internet Policy Task Force, 
Request for Public Comment, Stakeholder Engagement on Cybersecurity 
in the Digital Ecosystem, 80 FR 14360, Docket No. 150312253-5253-01 
(Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/cybersecurity_rfc_03192015.pdf.
    \2\ U.S. Department of Commerce, internet Policy Task Force, 
Request for Public Comment, Benefits, Challenges, and Potential 
Roles for the Government in Fostering the Advancement of the 
Internet of Things, 81 FR 19956, Docket No 160331306-6306-01 (Apr. 
5, 2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/rfc-potential-roles-government-fostering-advancement-internet-of-things.
    \3\ U.S. Department of Commerce, internet Policy Task Force, 
Request for Public Comment, Promoting Stakeholder Action Against 
Botnets and Other Automated Threats, 82 FR 27042, Docket No. 
170602536-7536-01 (Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/fr-ntia-cyber-eo-rfc-06132017.pdf.
---------------------------------------------------------------------------

    Several themes emerged from these three public consultations. Many 
stakeholders emphasized the importance of community-led, consensus-
driven, and risk-based solutions to address information security 
challenges, highlighting the role NTIA should play in convening 
multistakeholder processes. In the digital ecosystem, particular 
challenges were identified: Understanding and handling vulnerability 
information, addressing the insecurities in the growing IoT 
marketplace, and fostering a secure development lifecycle. NTIA has 
convened two multistakeholder processes to address these policy and 
market challenges. The first focused on how to promote collaboration 
around communicating vulnerability information, and the second helped 
vendors and consumers understand policy and market concerns related to 
patching vulnerabilities.
    The next initiative will focus on promoting software component 
transparency. Stakeholders will engage in an open and transparent 
process to explore the benefits and any potential risks of greater 
transparency. They may focus on incentives and barriers to adoption of 
transparency practices. The scope could include policy and 
international components. Transparency-driven solutions need not be 
prescriptive or regulatory, and can accommodate an ecosystem without a 
one-size-fits-all approach. The goal of this initiative is to foster a 
market that

[[Page 26435]]

offers greater transparency on software components.
    Most modern software is not written completely from scratch, but 
includes existing components, modules, and libraries from the open 
source and commercial software world. Modern development practices such 
as code reuse, and a dynamic IT marketplace with acquisitions and 
mergers, make it challenging to track the use of software components. 
The Internet of Things compounds this phenomenon, as new organizations, 
enterprises and innovators take on the role of software developer to 
add ``smart'' features or connectivity to their products. While the 
majority of libraries and components do not have known vulnerabilities, 
many do, and the sheer quantity of software means that some software 
products ship with vulnerable or out-of-date components. Many technical 
solutions to aid in this have already been developed by industry and 
the standards community.
    Vendors and developers also would find software component data 
useful. Cataloging the inputs to a software product is recognized as an 
important part of a secure development life cycle.\4\ Indeed, many 
organizations have developed internal processes to capture and manage 
this data for security purposes. Many others do so to manage licensing 
issues around third-party software components and intellectual property 
rights. Communicating information about the underlying components can 
be a strong security signifier, while still protecting the valuable 
intellectual property and source code in software and devices.
---------------------------------------------------------------------------

    \4\ The Software Assurance Forum for Excellence in Code 
(SAFECode), an industry consortium, has released a report on third 
party components that cites a range of standards. Managing Security 
Risks Inherent in the Use of Third-party Components, SAFECode (May 
2017), available at https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf.
---------------------------------------------------------------------------

    The importance of transparency in information security is widely 
recognized, and the notion of transparency around components of 
software and connected devices is not new. Academics identified the 
potential value of a ``software bill of materials'' as far back as 
1995,\5\ and there are a growing number of commercial solutions for 
security, licensing, and asset management. The International Standards 
Organization (ISO) first standardized software identification (SWID) 
tags in 2009.\6\ In 2015, NIST published Guidelines for the Creation of 
Interoperable Software Identification (SWID) Tags,\7\ and their use has 
been slowly increasing. The open source community has also developed 
the Software Package Data Exchange.\8\ This process will explore 
successful examples of use, and market barriers to increased adoption. 
From the perspective of the enterprise customer, it is hard to defend 
what one does not know. Transparency itself is not sufficient; the data 
must be useful and actionable. Understanding what is on an enterprise 
network is a key part of a security program. Having data about software 
components allows the enterprise customer to better understand the 
risks of potentially vulnerable software and devices.
---------------------------------------------------------------------------

    \5\ Leblang D.B., Levine P.H., Software configuration 
management: Why is it needed and what should it do? In: Estublier J. 
(eds) Software Configuration Management Lecture Notes in Computer 
Science, vol. 1005, Springer, Berlin, Heidelberg (1995).
    \6\ ISO/IEC 19770 ``Software Identification Tag,'' originally 
published in 2009, updated in 2015, https://www.iso.org/standard/65666.html.
    \7\ U.S. Department of Commerce, Guidelines for the Creation of 
Interoperable Software Identification (SWID) Tags, National 
Institute of Standards and Technology Internal Report 8060 (Dec. 
2015), available at: https://csrc.nist.gov/csrc/media/publications/nistir/8060/final/documents/nistir_8060_draft_fourth.pdf.
    \8\ More information on the Software Package Data Exchange 
project is available at https://spdx.org.
---------------------------------------------------------------------------

    Any conversation around transparency must include a discussion of 
the needs of the diverse set of enterprise software users. Data about 
the underlying code can help both the customer and the vendor. It 
should be incorporated into a security-mature organization's existing 
vulnerability management solutions, and can help foster further 
innovation. Having access to this data can help organizations mitigate 
concerns around orphaned devices and products, and lower the risks of 
investing in new products by increasing capabilities to deal with 
future security issues.
    NTIA will act as the convener, but stakeholders will drive the 
outcomes. Stakeholders will determine how to scope and organize the 
work through subgroups or other means. Success of the process will be 
evaluated by the extent to which broader findings on software component 
transparency are implemented across the ecosystem.
    This multistakeholder process is not a standards development 
process and will not supplant ongoing standards efforts or discussions. 
NTIA will frame the initial conversation around the policy and market 
considerations for greater software component transparency. NTIA 
encourages cross-sector participation as this will help to prevent 
sector-specific solutions that could fragment the marketplace. NTIA 
encourages discussion of approaches and considerations from diverse 
sectors such as the medical device community, where the applicability 
of a ``bill of materials'' has garnered increased discussion and 
interest.\9\ This approach can promote a more efficient and adaptive 
marketplace for new products.
    Matters to Be Considered: The July 19, 2018, meeting will be the 
first in a series of NTIA-convened multistakeholder discussions on 
promoting software component transparency. Subsequent meetings will 
follow on a schedule determined by those participating in the first 
meeting. Stakeholders will engage in an open, transparent, and 
consensus-driven process to understand the range of issues involved. 
The multistakeholder process will involve hearing and understanding the 
perspectives of diverse stakeholders, explicitly sharing the 
perspectives of a range of software and IoT vendors and enterprise 
customers from across the digital economy.
    The July 19, 2018, meeting is intended to bring stakeholders 
together to share the range of views on software component 
transparency, and to establish more concrete goals and structure of the 
process. The objectives of this first meeting are to: (1) Share the 
perspectives and concerns of both the vendor and enterprise customer 
communities; (2) discuss and acknowledge what is already working; (3) 
explore obstacles and challenges for greater transparency and better 
risk decisions; (4) identify promising areas of potential 
collaboration; (5) engage stakeholders in a discussion of logistical 
issues, including internal structures such as a small drafting 
committee or various working groups, and the location and frequency of 
future meetings; and (6) identify concrete goals and stakeholder work 
following the first meeting. These topics could include, but are in no 
way limited to, an inventory of existing statutory, policy, regulatory, 
and market efforts to increase software component transparency; 
identification of incentives and disincentives for market adoption of 
approaches for software component transparency; exploration of 
statutory, policy, and regulatory activities that may inhibit adoption; 
accessible high-level guidance for strategic decision-makers; and 
review of international approaches to understand statutory, policy, and 
regulatory environments to understand effects on market adoption.
    The main objective of further meetings will be to encourage and 
facilitate continued discussion among stakeholders to map the range of 
issues, and develop a consensus view for some

[[Page 26436]]

determined aspects of transparency. This discussion may include the 
appropriate scope of the initiative and circulation of stakeholder-
developed drafts. Stakeholders may also agree on procedural work plans 
for the group, including additional meetings or modified logistics for 
future meetings. NTIA suggests that stakeholders consider setting clear 
deadlines for working drafts and a phase for external review of such 
drafts, before reconvening to take account of external feedback.
    More information about stakeholders' work will be available at: 
https://www.ntia.doc.gov/other-publication/2018/SoftwareTransparency.
    Time and Date: NTIA will convene the first meeting of the 
multistakeholder process on Software Component Transparency on July 19, 
2018, from 10:00 a.m. to 4:00 p.m. Eastern Daylight Time. Please refer 
to NTIA's website, https://www.ntia.doc.gov/other-publication/2018/SoftwareTransparency, for the most current information.
    Place: The meeting will be held at the American Institute of 
Architects, 1735 New York Ave. NW, Washington, DC 20006. The location 
of the meeting is subject to change. Please refer to NTIA's website, 
https://www.ntia.doc.gov/other-publication/2018/SoftwareTransparency, 
for the most current information.
    Other Information: The meeting is open to the public and the press 
on a first-come, first-served basis. Space is limited.
    The meeting is physically accessible to people with disabilities. 
Requests for sign language interpretation or other auxiliary aids 
should be directed to Allan Friedman at (202) 482-4281 or 
[email protected] at least seven (7) business days prior to each 
meeting. The meetings will also be webcast. Requests for real-time 
captioning of the webcast or other auxiliary aids should be directed to 
Allan Friedman at (202) 482-4281 or [email protected] at least 
seven (7) business days prior to each meeting. There will be an 
opportunity for stakeholders viewing the webcast to participate 
remotely in the meetings through a moderated conference bridge, 
including polling functionality. Access details for the meetings are 
subject to change. Please refer to NTIA's website, https://www.ntia.doc.gov/other-publication/2018/SoftwareTransparency, for the 
most current information.

    Dated: June 4, 2018.
David J. Redl,
Assistant Secretary for Communication and Information, National 
Telecommunications and Information Administration.
[FR Doc. 2018-12261 Filed 6-6-18; 8:45 am]
BILLING CODE 3510-60-P