Software Bill of Materials Elements and Considerations, 29568-29571 [2021-11592]

Download as PDF 29568 Federal Register / Vol. 86, No. 104 / Wednesday, June 2, 2021 / Notices Scientific and Statistical Committee—8 a.m. Day 4—Thursday, June 24, 2021 California State Delegation—7 a.m. Oregon State Delegation—7 a.m. Washington State Delegation—7 a.m. Coastal Pelagic Species Advisory Subpanel—8 a.m. Coastal Pelagic Species Management Team—8 a.m. Groundfish Advisory Subpanel—8 a.m. Groundfish Management Team—8 a.m. Highly Migratory Species Advisory Subpanel—8 a.m. Highly Migratory Species Management Team—8 a.m. Scientific and Statistical Committee—8 a.m. Enforcement Consultants—As Necessary Day 5—Friday, June 25, 2021 California State Delegation—7 a.m. Oregon State Delegation—7 a.m. Washington State Delegation—7 a.m. Coastal Pelagic Species Advisory Subpanel—8 a.m. Coastal Pelagic Species Management Team—8 a.m. Groundfish Advisory Subpanel—8 a.m. Groundfish Management Team—8 a.m. Highly Migratory Species Advisory Subpanel—8 a.m. Highly Migratory Species Management Team—8 a.m. Enforcement Consultants—As Necessary Special Accommodations Requests for sign language interpretation or other auxiliary aids should be directed to Mr. Kris Kleinschmidt at (503) 820–2412 at least 10 business days prior to the meeting date. Authority: 16 U.S.C. 1801 et seq. Dated: May 27, 2021. Tracey L. Thompson, Acting Deputy Director, Office of Sustainable Fisheries, National Marine Fisheries Service. [FR Doc. 2021–11547 Filed 6–1–21; 8:45 am] BILLING CODE 3510–22–P DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Day 6—Saturday, June 26, 2021 [Docket No. 210527–0117] California State Delegation—7 a.m. Oregon State Delegation—7 a.m. Washington State Delegation—7 a.m. Groundfish Advisory Subpanel—8 a.m. Groundfish Management Team—8 a.m. Enforcement Consultants—As Necessary * No Meetings Scheduled for Sunday, June 27, 2021 RIN 0660–XC051 Day 7—Monday, June 28, 2021 California State Delegation—7 a.m. Oregon State Delegation—7 a.m. Washington State Delegation—7 a.m. Groundfish Advisory Subpanel—8 a.m. Groundfish Management Team—8 a.m. Enforcement Consultants—As Necessary Day 8—Tuesday, June 29, 2021 California State Delegation—7 a.m. Oregon State Delegation—7 a.m. Washington State Delegation—7 a.m. Groundfish Advisory Subpanel—8 a.m. Groundfish Management Team—8 a.m. Enforcement Consultants—As Necessary jbell on DSKJLSW7X2PROD with NOTICES before the Pacific Council for discussion, those issues may not be the subject of formal Council action during this meeting. Council action will be restricted to those issues specifically listed in this notice and any issues arising after publication of this notice that require emergency action under section 305(c) of the Magnuson-Stevens Fishery Conservation and Management Act, provided the public has been notified of the Pacific Council’s intent to take final action to address the emergency. Day 9—Wednesday, June 30, 2021 California State Delegation—7 a.m. Oregon State Delegation—7 a.m. Washington State Delegation—7 a.m. Although non-emergency issues not contained in this agenda may come VerDate Sep<11>2014 17:49 Jun 01, 2021 Jkt 253001 Software Bill of Materials Elements and Considerations National Telecommunications and Information Administration, U.S. Department of Commerce. ACTION: Notice, request for public comment. AGENCY: The Executive Order on Improving the Nation’s Cybersecurity directs the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), to publish the minimum elements for a Software Bill of Materials (SBOM). Through this Notice, following from the Executive Order, NTIA is requesting comments on the minimum elements for an SBOM, and what other factors should be considered in the request, production, distribution, and consumption of SBOMs. SUMMARY: Comments are due on or before June 17, 2021. ADDRESSES: Written comments may be submitted on this document identified by NTIA–2021–0001 through DATES: PO 00000 Frm 00023 Fmt 4703 Sfmt 4703 www.regulations.gov or by email to SBOM_RFC@ntia.gov. Written comments also may be submitted by mail to the National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Attn: Evelyn L. Remaley, Acting NTIA Administrator, Washington, DC 20230. For more detailed instructions about submitting comments, see the ‘‘Instructions for Commenters’’ section at the end of this Notice. FOR FURTHER INFORMATION CONTACT: Allan Friedman, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; telephone: (202) 482–4281; email: afriedman@ntia.gov. Please direct media inquiries to NTIA’s Office of Public Affairs: (202) 482–7002; email: press@ntia.gov. SUPPLEMENTARY INFORMATION: Background On May 12, 2021, the President issued Executive Order 14028, ‘‘Improving the Nation’s Cybersecurity.’’ 1 An initial step towards the Executive Order’s goal of ‘‘enhancing software supply chain security’’ is transparency. As the Order itself notes, ‘‘the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.’’ An SBOM advances transparency in the software supply chain, similar to a ‘‘list of ingredients.’’ NTIA is directed to publish a list of ‘‘minimum elements for an SBOM.’’ NTIA has played a leadership role in advocating for SBOM, convening experts from across the software world and leading discussions around the ideas of software supply chain transparency.2 The goal of this Request for Comments is to seek input and feedback on NTIA’s approach to developing and publishing the minimum elements of an SBOM. NTIA is committed to being open to further additions, corrections, deletions, or other changes, particularly when suggestions are well supported with 1 Exec. Order No. 14,028 of May 12, 2021, 86 FR 26,633 (May 17, 2021). 2 See David J. Redl, NTIA Launches Initiative to Improve Software Component Transparency, Nat’l Telecomm. & Info. Admin. (June 6, 2018), https:// www.ntia.doc.gov/blog/2018/ntia-launchesinitiative-improve-software-componenttransparency; Allan Friedman, Dir., Cybersecurity, Nat’l Telecomm. & Info. Admin., Transparency in the Software Supply Chain: Making SBOM a Reality, Address at Black Hat USA 2019 Conference (Aug. 7, 2019). E:\FR\FM\02JNN1.SGM 02JNN1 Federal Register / Vol. 86, No. 104 / Wednesday, June 2, 2021 / Notices documents, operational evidence, and support from broad-based constituencies in the software ecosystem. Since 2018, NTIA has coordinated an open and transparent multistakeholder process on software component transparency, providing a forum in which a diverse and evolving set of experts and interested parties have been able to weigh in, share their leadership and respective visions, unpack the complex challenges of software supply chain, and propose various solutions.3 The idea of an SBOM is not new. Its roots lie in the concepts developed by noted American engineer and management consultant W. Edward Deming to build post-war industrial supply chain leadership, and over the last decade an SBOM has come to be considered vital to security by notable security experts.4 By providing a forum for SBOM discussions, NTIA has helped the community identify common themes, coalesce around standards, and emphasize interoperability. These discussions have led to the documentation of existing tools, products, and projects, and have helped drive further experimentation and implementation. With an emphasis on the practice of SBOM generation and use, NTIA has sought to facilitate ‘‘proof-of-concept’’ exercises in specific communities and sectors.5 NTIA has also worked across the federal government to share ideas about SBOM, seek feedback and engagement from experts in the civilian and national security community, and expand general awareness of SBOM. What is an SBOM? jbell on DSKJLSW7X2PROD with NOTICES The Executive Order defines an SBOM as ‘‘a formal record containing the details and supply chain relationships of various components used in building software.’’ It refers to what the software assurance organization SAFECode calls ‘‘third party components.’’ Software is made and used by a wide range of organizations, but this diversity makes a single model for SBOM difficult. There is no one-size-fits-all approach to providing transparency for software assurance. 3 NTIA, Multistakeholder Process on Promoting Software Component Transparency, Notice of Open Meeting, 83 FR 26,434 (June 7, 2018). 4 See Seth Carmody et al., Building Resilient Medical Technology Supply Chains with a Software Bill of Materials, 4 npj Digit. Med., at 1, 1–2 (2021), https://doi.org/10.1038/s41746-021-00403-w. 5 See Susan Miller, Protecting the Supply Chain with a Software Bill of Materials, GCN (Feb. 22, 2021), https://gcn.com/articles/2021/02/22/sbomsupply-chain-security.aspx. VerDate Sep<11>2014 17:49 Jun 01, 2021 Jkt 253001 The Executive Order also defines SBOM in functional terms, framing its value in terms of use cases. It notes distinct but overlapping benefits that accrue to the organization that makes the software (‘‘developers’’), the organization that chooses or buys software, and those that operate software. Many of these use case benefits center around tracking known or newly identified vulnerabilities, but SBOM can also support use cases around license management and software quality/efficiency, and can lay the foundation to detect software supply chain attacks. These benefits should serve as a lodestar for designing and publishing the minimum elements of an SBOM that can be applied across the diverse software ecosystem. Potential Elements for an SBOM NTIA proposes a definition of the ‘‘minimum elements’’ of an SBOM that builds on three broad, inter-related areas: Data fields, operational considerations, and support for automation. Focusing on these three elements will enable an evolving approach to software transparency, and serve to ensure that subsequent efforts will incorporate more detail or technical advances. The information below is preliminary, and the ultimate list published by NTIA will be revised based on public input. Data fields. To understand the thirdparty components that make up software, certain data about each of those components should be tracked. This ‘‘baseline component information’’ includes: 6 • Supplier name • Component name • Version of the component • Cryptograph hash of the component • Any other unique identifier • Dependency relationship • Author of the SBOM data Some of these data fields could be expanded. For example, the ‘‘dependency relationship’’ generally refers to the idea that one component is included in another component, but could be expanded to also include referencing standards, which tools were used, or how software was compiled or built. Other data fields may need more clarity, including data fields for component and supplier name. As one SBOM document notes, ‘‘[c]omponent identification is fundamental to SBOM and needs to scale globally across 6 See generally Framing Working Grp., Nat’l Telecomm. & Info. Admin., Framing Software Component Transparency (2019), https:// www.ntia.gov/files/ntia/publications/framingsbom_ 20191112.pdf (providing further information on baseline components). PO 00000 Frm 00024 Fmt 4703 Sfmt 4703 29569 diverse software ecosystems, sectors, and markets.’’ 7 The challenge is that different technical communities and organizations have different approaches to determining software identity. Operational considerations. SBOM is more than a set of data fields. Elements of SBOM include a set of operational and business decisions and actions that establish the practice of requesting, generating, sharing, and consuming SBOMs. This includes: • Frequency. Operational considerations touch on when and where the SBOM data is generated and tracked. SBOM data could be created and stored in the repository of the source. For built software, it can be tracked and assembled at the time of build. A new build or an update to the underlying source should, in turn, create a new SBOM. • Depth. The ideal SBOM should track dependencies, dependencies of those dependencies, and so on down to the complete graph of the assembled software. Complete depth may not always be feasible, especially as SBOM practices are still novel in some communities. When an SBOM cannot convey the full set of transitive dependencies, it should explicitly acknowledge the ‘‘known unknowns,’’ so that the SBOM consumer can easily determine the difference between a component with no further dependencies and a component with unknown or partial dependencies. • Delivery. SBOMs should be available in a timely fashion to those who need them and have proper access permissions and roles in place. Sharing SBOM data down the supply chain can be thought of as comprising two parts: How the existence and availability of the SBOM is made known (advertisement or discovery) and how the SBOM is retrieved by or transmitted to those who have the appropriate permissions (access).8 Similar to other areas of software assurance, there will not be a one-size-fits-all approach. Anyone offering SBOMs must have some mechanism to deliver them, but this can ride on existing mechanisms. SBOM delivery can reflect the nature of the software as well: Executables that live on endpoints can store the SBOM data on disk with the compiled code, whereas embedded systems or online 7 Framing Working Group, Nat’l Telecomm. & Info. Admin., Software Identification Challenges and Guidance (2021), https://www.ntia.gov/files/ ntia/publications/ntia_sbom_software_identity2021mar30.pdf. 8 Framing Working Grp., Nat’l Telecomm. & Info. Admin., Sharing and Exchanging SBOMs (2021), https://www.ntia.gov/files/ntia/publications/ntia_ sbom_sharing_exchanging_sboms-10feb2021.pdf. E:\FR\FM\02JNN1.SGM 02JNN1 29570 Federal Register / Vol. 86, No. 104 / Wednesday, June 2, 2021 / Notices services can have pointers to SBOM data stored online. Automation support. A key element for SBOM to scale across the software ecosystem, particularly across organizational boundaries, is support for automation, including automatic generation and machine-readability. As the Executive Order notes, SBOMs should be machine-readable and should allow ‘‘for greater benefits through automation and tool integration.’’ Manual entry or distribution with spreadsheets does not scale, especially across organizations. The SBOM community has identified three existing data standards (formats) that can convey the data fields and be used to support the operations described above: SPDX,9 CycloneDX,10 and SWID tags.11 Experts in these formats have mapped between them to create interoperability for the baseline described above. Because these formats already are subject to public input and translation tools exist, they serve as logical starting points for sharing basic data.12 In addition to the three SBOM formats, the need for automation defines how some of the fields might be implemented better. For instance, machine-scale detection of vulnerabilities requires mapping component identity fields to existing vulnerability databases. jbell on DSKJLSW7X2PROD with NOTICES Request for Comment The discussion above lays out the collected data points and experience from experts and practitioners in SBOM, including existing practices and novel proof-of-concept work. To inform, validate, and update NTIA’s understanding of SBOM, NTIA seeks comment on the following questions: 1. Are the elements described above, including data fields, operational considerations, and support for automation, sufficient? What other elements should be considered and why? 2. Are there additional use cases that can further inform the elements of SBOM? 3. SBOM creation and use touches on a number of related areas in IT 9 See also SPDX, https://spdx.dev/ (last visited May 18, 2021). 10 See also CycloneDX, https://cyclonedx.org/ (last visited May 18, 2021). 11 See David Waltermire et al., Guidelines for the Creation of Interoperable Software Identification (SWID) Tags (2016) (Nat’l Inst. of Standards & Tech. Internal Rep. 8060), http://dx.doi.org/10.6028/ NIST.IR.8060 (SWID tags are defined by ISO/IEC 19770–2:2015). 12 See, e.g., SwiftBOM—SBOM Generator for PoC and Demos, https://democert.org/sbom/ (last visited May 18, 2021). VerDate Sep<11>2014 17:49 Jun 01, 2021 Jkt 253001 management, cybersecurity, and public policy. We seek comment on how these issues described below should be considered in defining SBOM elements today and in the future. a. Software Identity: There is no single namespace to easily identify and name every software component. The challenge is not the lack of standards, but multiple standards and practices in different communities. b. Software-as-a-Service and online services: While current, cloud-based software has the advantage of more modern tool chains, the use cases for SBOM may be different for software that is not running on customer premises or maintained by the customer. c. Legacy and binary-only software: Older software often has greater risks, especially if it is not maintained. In some cases, the source may not even be obtainable, with only the object code available for SBOM generation. d. Integrity and authenticity: An SBOM consumer may be concerned about verifying the source of the SBOM data and confirming that it was not tampered with. Some existing measures for integrity and authenticity of both software and metadata can be leveraged. e. Threat model: While many anticipated use cases may rely on the SBOM as an authoritative reference when evaluating external information (such as vulnerability reports), other use cases may rely on the SBOM as a foundation in detecting more sophisticated supply chain attacks. These attacks could include compromising the integrity of not only the systems used to build the software component, but also the systems used to create the SBOM or even the SBOM itself. How can SBOM position itself to support the detection of internal compromise? How can these more advanced data collection and management efforts best be integrated into the basic SBOM structure? What further costs and complexities would this impose? f. High assurance use cases: Some SBOM use cases require additional data about aspects of the software development and build environment, including those aspects that are enumerated in Executive Order 14028.13 How can SBOM data be integrated with this additional data in a modular fashion? g. Delivery. As noted above, multiple mechanisms exist to aid in SBOM discovery, as well as to enable access to SBOMs. Further mechanisms and standards may be needed, yet too many 13 Exec. Order No.14028 § 4(e)(i)–(x), 86 FR 26633, 26638–39 (May 12, 2021). PO 00000 Frm 00025 Fmt 4703 Sfmt 4703 options may impose higher costs on either SBOM producers or consumers. h. Depth. As noted above, while ideal SBOMs have the complete graph of the assembled software, not every software producer will be able or ready to share the entire graph. i. Vulnerabilities. Many of the use cases around SBOMs focus on known vulnerabilities. Some build on this by including vulnerability data in the SBOM itself. Others note that the existence and status of vulnerabilities can change over time, and there is no general guarantee or signal about whether the SBOM data is up-to-date relative to all relevant and applicable vulnerability data sources. j. Risk Management. Not all vulnerabilities in software code put operators or users at real risk from software built using those vulnerable components, as the risk could be mitigated elsewhere or deemed to be negligible. One approach to managing this might be to communicate that software is ‘‘not affected’’ by a specific vulnerability through a Vulnerability Exploitability eXchange (or ‘‘VEX’’),14 but other solutions may exist. 4. Flexibility of implementation and potential requirements. If there are legitimate reasons why the above elements might be difficult to adopt or use for certain technologies, industries, or communities, how might the goals and use cases described above be fulfilled through alternate means? What accommodations and alternate approaches can deliver benefits while allowing for flexibility? Instructions for Commenters: NTIA invites comment on the full range of issues that may be presented in this Notice, including issues that are not specifically raised in the above questions. Commenters are encouraged to address any or all of the above questions. Comments that contain references to studies, research, and other empirical data that are not widely available should include copies of the referenced materials with the submitted comments. Comments submitted by email should be machine-readable and should not be copy-protected. Responders should include the name of the person or organization filing the comment, which will facilitate agency follow up for clarifications as necessary, as well as a page number on each page of their submissions. All comments received are a part of the public record and will be posted on regulations.gov 14 David Braue, Software ‘Bill of Materials’ To Become Standard?, Info. Age (Oct. 22, 2020, 11:34 a.m.), https://ia.acs.org.au/article/2020/softwarebill-of-materials-to-become-standard.html. E:\FR\FM\02JNN1.SGM 02JNN1 Federal Register / Vol. 86, No. 104 / Wednesday, June 2, 2021 / Notices and the NTIA website, https:// www.ntia.gov/, without change. All personal identifying information (for example, name, address) voluntarily submitted by the commenter may be publicly accessible. Do not submit confidential business information or otherwise sensitive or protected information. Dated: May 27, 2021. Kathy D. Smith, Chief Counsel, National Telecommunications and Information Administration. [FR Doc. 2021–11592 Filed 6–1–21; 8:45 am] BILLING CODE 3510–60–P DEPARTMENT OF COMMERCE Patent and Trademark Office [Docket No.: PTO–P–2021–0010] Submitting Patent Applications in Structured Text Format and Reliance on the Text Version as the Source or Evidentiary Copy United States Patent and Trademark Office, Department of Commerce. ACTION: Notice. AGENCY: The United States Patent and Trademark Office (USPTO) is in the process of transitioning to a system that supports submitting new patent applications in structured text, specifically DOCX format. Filing in structured text allows applicants to submit their specifications, claims, and abstracts in text-based format, thereby eliminating the need for applicants to convert applications into a PDF for filing. It also provides a flexible format with no template constraints and improves data quality by supporting original formats for chemical formulas, mathematical equations, and tables. The USPTO previously stated that for applications filed in DOCX, the authoritative document would be the accompanying PDF that the USPTO systems generate from the DOCX document. In response to public feedback, however, the USPTO now considers the DOCX document filed by the applicant to be the authoritative document. Accordingly, an applicant who files or has filed an application in DOCX may rely on that version as the source or evidentiary copy of the application to make any corrections to the documents in the application file. The USPTO will be hosting DOCX training sessions to provide more information, demonstrate how to file and retrieve DOCX files in Patent Center, EFS–Web, and PAIR, and answer any questions. Applicants can jbell on DSKJLSW7X2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 17:49 Jun 01, 2021 Jkt 253001 also file test submissions through Patent Center training mode to practice filing in DOCX. In addition, we will be offering listening sessions to gather feedback and suggestions to further improve DOCX features. DATES: Effective date: June 2, 2021. FOR FURTHER INFORMATION CONTACT: Mark O. Polutta, Senior Legal Advisor, 571–272–7709, or Eugenia A. Jones, Senior Legal Advisor, 571–272–7727, of the Office of Patent Legal Administration, Office of the Deputy Commissioner for Patents. For technical questions related to submitting documents in DOCX format, please contact the Patent Electronic Business Center (EBC) at 1–866–217– 9197 (toll-free), 571–272–4100 (local), or ebc@uspto.gov. The EBC is open from 6 a.m. to midnight, ET, Monday through Friday. SUPPLEMENTARY INFORMATION: The USPTO is in the process of transitioning to a system that supports submitting new patent applications in structured text, specifically DOCX format. Application documents submitted in DOCX format will facilitate the examination and publication processes. This notice provides information on structured text filing. Specifically, the USPTO now considers the DOCX documents filed by applicants to be the authoritative document, otherwise referred to as the source or evidentiary copy of the application, for purposes of determining the content of the application as originally filed, should a discrepancy be discovered. This notice does not require patent applicants to make any changes to their practices. Currently, applicants may electronically file an application either by submitting PDF files or by submitting DOCX files. If an applicant submits DOCX files, the USPTO uses the DOCX files to generate PDF files prior to the actual filing of the application. The USPTO published a final rule on setting and adjusting patent fees on August 3, 2020. See Setting and Adjusting Patent Fees During Fiscal Year 2020, 85 FR 46932 (Aug. 3, 2020). In addition to establishing a fee for applications not submitted in a DOCX format, the response to comment 54 in the final rule stated that for applications filed in DOCX, the authoritative document will be the accompanying PDF that the USPTO systems generate from the DOCX document. See id. at 46957. In response to public feedback, the USPTO has changed what will be the authoritative document. The USPTO is informing applicants that it now considers the DOCX documents filed by applicants to be the authoritative PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 29571 document, otherwise referred to as the source or evidentiary copy of the application. This change applies to all patent documents submitted in DOCX format, including DOCX submissions made prior to this notice. The source or evidentiary copy of the application is the version submitted to the USPTO by the applicant in one of the following formats: Paper, DOCX, or PDF when not accompanied by a DOCX version of the same. Applicants should not submit PDF versions they created when filing an application in DOCX, as they are unnecessary. If the applicant submits documents in DOCX along with PDF versions they created (not the autogenerated PDFs created by the USPTO), then the DOCX version will still be considered the source or evidentiary copy, and the applicant will be required to pay the non-DOCX surcharge fee. Applicants can rely on the DOCX version as the source or evidentiary copy in order to make any corrections to the record when any discrepancies are identified between the source or evidentiary copy and the documents as converted by the USPTO. Accordingly, during the filing process, applicants will be advised to review the DOCX files before submission rather than reviewing the USPTO-generated PDF version, as set forth in the August 3, 2020, final rule. However, applicants are advised to check the USPTO-generated versions as soon as practicable for any discrepancies or errors. Any discrepancies or errors that occur as a result of filing an application in DOCX format should be promptly brought to the attention of the USPTO. Applicants should initially contact the Patent EBC for investigation at 1–866–217–9197 (toll-free), 571–272–4100 (local), or ebc@uspto.gov. Depending on the situation, applicants may need to file a petition under 37 CFR 1.181 in order to have the issue reviewed and addressed. This is consistent with current USPTO procedures for documents filed in patent applications. In this regard, the USPTO has a records retention schedule for documents it receives, including new patent applications and correspondence filed in patent applications. For example, applications filed in paper via mail or hand-delivery are scanned into the image file wrapper (IFW) or the Supplemental Complex Repository for Examiners (SCORE), as appropriate. In 2011, the USPTO established a one-year retention policy for patent-related papers scanned into the IFW or SCORE. See Establishment of a One-Year Retention Period for Patent-Related Papers That Have Been Scanned Into the E:\FR\FM\02JNN1.SGM 02JNN1

Agencies

[Federal Register Volume 86, Number 104 (Wednesday, June 2, 2021)]
[Notices]
[Pages 29568-29571]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-11592]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration

[Docket No. 210527-0117]
RIN 0660-XC051


Software Bill of Materials Elements and Considerations

AGENCY: National Telecommunications and Information Administration, 
U.S. Department of Commerce.

ACTION: Notice, request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Executive Order on Improving the Nation's Cybersecurity 
directs the Department of Commerce, in coordination with the National 
Telecommunications and Information Administration (NTIA), to publish 
the minimum elements for a Software Bill of Materials (SBOM). Through 
this Notice, following from the Executive Order, NTIA is requesting 
comments on the minimum elements for an SBOM, and what other factors 
should be considered in the request, production, distribution, and 
consumption of SBOMs.

DATES: Comments are due on or before June 17, 2021.

ADDRESSES: Written comments may be submitted on this document 
identified by NTIA-2021-0001 through www.regulations.gov or by email to 
[email protected]. Written comments also may be submitted by mail to 
the National Telecommunications and Information Administration, U.S. 
Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Attn: 
Evelyn L. Remaley, Acting NTIA Administrator, Washington, DC 20230. For 
more detailed instructions about submitting comments, see the 
``Instructions for Commenters'' section at the end of this Notice.

FOR FURTHER INFORMATION CONTACT: Allan Friedman, National 
Telecommunications and Information Administration, U.S. Department of 
Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; 
telephone: (202) 482-4281; email: [email protected]. Please direct 
media inquiries to NTIA's Office of Public Affairs: (202) 482-7002; 
email: [email protected].

SUPPLEMENTARY INFORMATION:

Background

    On May 12, 2021, the President issued Executive Order 14028, 
``Improving the Nation's Cybersecurity.'' \1\ An initial step towards 
the Executive Order's goal of ``enhancing software supply chain 
security'' is transparency. As the Order itself notes, ``the trust we 
place in our digital infrastructure should be proportional to how 
trustworthy and transparent that infrastructure is, and to the 
consequences we will incur if that trust is misplaced.'' An SBOM 
advances transparency in the software supply chain, similar to a ``list 
of ingredients.'' NTIA is directed to publish a list of ``minimum 
elements for an SBOM.''
---------------------------------------------------------------------------

    \1\ Exec. Order No. 14,028 of May 12, 2021, 86 FR 26,633 (May 
17, 2021).
---------------------------------------------------------------------------

    NTIA has played a leadership role in advocating for SBOM, convening 
experts from across the software world and leading discussions around 
the ideas of software supply chain transparency.\2\ The goal of this 
Request for Comments is to seek input and feedback on NTIA's approach 
to developing and publishing the minimum elements of an SBOM. NTIA is 
committed to being open to further additions, corrections, deletions, 
or other changes, particularly when suggestions are well supported with

[[Page 29569]]

documents, operational evidence, and support from broad-based 
constituencies in the software ecosystem.
---------------------------------------------------------------------------

    \2\ See David J. Redl, NTIA Launches Initiative to Improve 
Software Component Transparency, Nat'l Telecomm. & Info. Admin. 
(June 6, 2018), https://www.ntia.doc.gov/blog/2018/ntia-launches-initiative-improve-software-component-transparency; Allan Friedman, 
Dir., Cybersecurity, Nat'l Telecomm. & Info. Admin., Transparency in 
the Software Supply Chain: Making SBOM a Reality, Address at Black 
Hat USA 2019 Conference (Aug. 7, 2019).
---------------------------------------------------------------------------

    Since 2018, NTIA has coordinated an open and transparent 
multistakeholder process on software component transparency, providing 
a forum in which a diverse and evolving set of experts and interested 
parties have been able to weigh in, share their leadership and 
respective visions, unpack the complex challenges of software supply 
chain, and propose various solutions.\3\ The idea of an SBOM is not 
new. Its roots lie in the concepts developed by noted American engineer 
and management consultant W. Edward Deming to build post-war industrial 
supply chain leadership, and over the last decade an SBOM has come to 
be considered vital to security by notable security experts.\4\ By 
providing a forum for SBOM discussions, NTIA has helped the community 
identify common themes, coalesce around standards, and emphasize 
interoperability. These discussions have led to the documentation of 
existing tools, products, and projects, and have helped drive further 
experimentation and implementation. With an emphasis on the practice of 
SBOM generation and use, NTIA has sought to facilitate ``proof-of-
concept'' exercises in specific communities and sectors.\5\ NTIA has 
also worked across the federal government to share ideas about SBOM, 
seek feedback and engagement from experts in the civilian and national 
security community, and expand general awareness of SBOM.
---------------------------------------------------------------------------

    \3\ NTIA, Multistakeholder Process on Promoting Software 
Component Transparency, Notice of Open Meeting, 83 FR 26,434 (June 
7, 2018).
    \4\ See Seth Carmody et al., Building Resilient Medical 
Technology Supply Chains with a Software Bill of Materials, 4 npj 
Digit. Med., at 1, 1-2 (2021), https://doi.org/10.1038/s41746-021-00403-w.
    \5\ See Susan Miller, Protecting the Supply Chain with a 
Software Bill of Materials, GCN (Feb. 22, 2021), https://gcn.com/articles/2021/02/22/sbom-supply-chain-security.aspx.
---------------------------------------------------------------------------

What is an SBOM?

    The Executive Order defines an SBOM as ``a formal record containing 
the details and supply chain relationships of various components used 
in building software.'' It refers to what the software assurance 
organization SAFECode calls ``third party components.'' Software is 
made and used by a wide range of organizations, but this diversity 
makes a single model for SBOM difficult. There is no one-size-fits-all 
approach to providing transparency for software assurance.
    The Executive Order also defines SBOM in functional terms, framing 
its value in terms of use cases. It notes distinct but overlapping 
benefits that accrue to the organization that makes the software 
(``developers''), the organization that chooses or buys software, and 
those that operate software. Many of these use case benefits center 
around tracking known or newly identified vulnerabilities, but SBOM can 
also support use cases around license management and software quality/
efficiency, and can lay the foundation to detect software supply chain 
attacks. These benefits should serve as a lodestar for designing and 
publishing the minimum elements of an SBOM that can be applied across 
the diverse software ecosystem.

Potential Elements for an SBOM

    NTIA proposes a definition of the ``minimum elements'' of an SBOM 
that builds on three broad, inter-related areas: Data fields, 
operational considerations, and support for automation. Focusing on 
these three elements will enable an evolving approach to software 
transparency, and serve to ensure that subsequent efforts will 
incorporate more detail or technical advances. The information below is 
preliminary, and the ultimate list published by NTIA will be revised 
based on public input.
    Data fields. To understand the third-party components that make up 
software, certain data about each of those components should be 
tracked. This ``baseline component information'' includes: \6\
---------------------------------------------------------------------------

    \6\ See generally Framing Working Grp., Nat'l Telecomm. & Info. 
Admin., Framing Software Component Transparency (2019), https://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf 
(providing further information on baseline components).

 Supplier name
 Component name
 Version of the component
 Cryptograph hash of the component
 Any other unique identifier
 Dependency relationship
 Author of the SBOM data
    Some of these data fields could be expanded. For example, the 
``dependency relationship'' generally refers to the idea that one 
component is included in another component, but could be expanded to 
also include referencing standards, which tools were used, or how 
software was compiled or built. Other data fields may need more 
clarity, including data fields for component and supplier name. As one 
SBOM document notes, ``[c]omponent identification is fundamental to 
SBOM and needs to scale globally across diverse software ecosystems, 
sectors, and markets.'' \7\ The challenge is that different technical 
communities and organizations have different approaches to determining 
software identity.
---------------------------------------------------------------------------

    \7\ Framing Working Group, Nat'l Telecomm. & Info. Admin., 
Software Identification Challenges and Guidance (2021), https://www.ntia.gov/files/ntia/publications/ntia_sbom_software_identity-2021mar30.pdf.
---------------------------------------------------------------------------

    Operational considerations. SBOM is more than a set of data fields. 
Elements of SBOM include a set of operational and business decisions 
and actions that establish the practice of requesting, generating, 
sharing, and consuming SBOMs. This includes:
     Frequency. Operational considerations touch on when and 
where the SBOM data is generated and tracked. SBOM data could be 
created and stored in the repository of the source. For built software, 
it can be tracked and assembled at the time of build. A new build or an 
update to the underlying source should, in turn, create a new SBOM.
     Depth. The ideal SBOM should track dependencies, 
dependencies of those dependencies, and so on down to the complete 
graph of the assembled software. Complete depth may not always be 
feasible, especially as SBOM practices are still novel in some 
communities. When an SBOM cannot convey the full set of transitive 
dependencies, it should explicitly acknowledge the ``known unknowns,'' 
so that the SBOM consumer can easily determine the difference between a 
component with no further dependencies and a component with unknown or 
partial dependencies.
     Delivery. SBOMs should be available in a timely fashion to 
those who need them and have proper access permissions and roles in 
place. Sharing SBOM data down the supply chain can be thought of as 
comprising two parts: How the existence and availability of the SBOM is 
made known (advertisement or discovery) and how the SBOM is retrieved 
by or transmitted to those who have the appropriate permissions 
(access).\8\ Similar to other areas of software assurance, there will 
not be a one-size-fits-all approach. Anyone offering SBOMs must have 
some mechanism to deliver them, but this can ride on existing 
mechanisms. SBOM delivery can reflect the nature of the software as 
well: Executables that live on endpoints can store the SBOM data on 
disk with the compiled code, whereas embedded systems or online

[[Page 29570]]

services can have pointers to SBOM data stored online.
---------------------------------------------------------------------------

    \8\ Framing Working Grp., Nat'l Telecomm. & Info. Admin., 
Sharing and Exchanging SBOMs (2021), https://www.ntia.gov/files/ntia/publications/ntia_sbom_sharing_exchanging_sboms-10feb2021.pdf.
---------------------------------------------------------------------------

    Automation support. A key element for SBOM to scale across the 
software ecosystem, particularly across organizational boundaries, is 
support for automation, including automatic generation and machine-
readability. As the Executive Order notes, SBOMs should be machine-
readable and should allow ``for greater benefits through automation and 
tool integration.'' Manual entry or distribution with spreadsheets does 
not scale, especially across organizations.
    The SBOM community has identified three existing data standards 
(formats) that can convey the data fields and be used to support the 
operations described above: SPDX,\9\ CycloneDX,\10\ and SWID tags.\11\ 
Experts in these formats have mapped between them to create 
interoperability for the baseline described above. Because these 
formats already are subject to public input and translation tools 
exist, they serve as logical starting points for sharing basic 
data.\12\
---------------------------------------------------------------------------

    \9\ See also SPDX, https://spdx.dev/ (last visited May 18, 
2021).
    \10\ See also CycloneDX, https://cyclonedx.org/ (last visited 
May 18, 2021).
    \11\ See David Waltermire et al., Guidelines for the Creation of 
Interoperable Software Identification (SWID) Tags (2016) (Nat'l 
Inst. of Standards & Tech. Internal Rep. 8060), http://dx.doi.org/10.6028/NIST.IR.8060 (SWID tags are defined by ISO/IEC 19770-
2:2015).
    \12\ See, e.g., SwiftBOM--SBOM Generator for PoC and Demos, 
https://democert.org/sbom/ (last visited May 18, 2021).
---------------------------------------------------------------------------

    In addition to the three SBOM formats, the need for automation 
defines how some of the fields might be implemented better. For 
instance, machine-scale detection of vulnerabilities requires mapping 
component identity fields to existing vulnerability databases.

Request for Comment

    The discussion above lays out the collected data points and 
experience from experts and practitioners in SBOM, including existing 
practices and novel proof-of-concept work. To inform, validate, and 
update NTIA's understanding of SBOM, NTIA seeks comment on the 
following questions:
    1. Are the elements described above, including data fields, 
operational considerations, and support for automation, sufficient? 
What other elements should be considered and why?
    2. Are there additional use cases that can further inform the 
elements of SBOM?
    3. SBOM creation and use touches on a number of related areas in IT 
management, cybersecurity, and public policy. We seek comment on how 
these issues described below should be considered in defining SBOM 
elements today and in the future.
    a. Software Identity: There is no single namespace to easily 
identify and name every software component. The challenge is not the 
lack of standards, but multiple standards and practices in different 
communities.
    b. Software-as-a-Service and online services: While current, cloud-
based software has the advantage of more modern tool chains, the use 
cases for SBOM may be different for software that is not running on 
customer premises or maintained by the customer.
    c. Legacy and binary-only software: Older software often has 
greater risks, especially if it is not maintained. In some cases, the 
source may not even be obtainable, with only the object code available 
for SBOM generation.
    d. Integrity and authenticity: An SBOM consumer may be concerned 
about verifying the source of the SBOM data and confirming that it was 
not tampered with. Some existing measures for integrity and 
authenticity of both software and metadata can be leveraged.
    e. Threat model: While many anticipated use cases may rely on the 
SBOM as an authoritative reference when evaluating external information 
(such as vulnerability reports), other use cases may rely on the SBOM 
as a foundation in detecting more sophisticated supply chain attacks. 
These attacks could include compromising the integrity of not only the 
systems used to build the software component, but also the systems used 
to create the SBOM or even the SBOM itself. How can SBOM position 
itself to support the detection of internal compromise? How can these 
more advanced data collection and management efforts best be integrated 
into the basic SBOM structure? What further costs and complexities 
would this impose?
    f. High assurance use cases: Some SBOM use cases require additional 
data about aspects of the software development and build environment, 
including those aspects that are enumerated in Executive Order 
14028.\13\ How can SBOM data be integrated with this additional data in 
a modular fashion?
---------------------------------------------------------------------------

    \13\ Exec. Order No.14028 Sec.  4(e)(i)-(x), 86 FR 26633, 26638-
39 (May 12, 2021).
---------------------------------------------------------------------------

    g. Delivery. As noted above, multiple mechanisms exist to aid in 
SBOM discovery, as well as to enable access to SBOMs. Further 
mechanisms and standards may be needed, yet too many options may impose 
higher costs on either SBOM producers or consumers.
    h. Depth. As noted above, while ideal SBOMs have the complete graph 
of the assembled software, not every software producer will be able or 
ready to share the entire graph.
    i. Vulnerabilities. Many of the use cases around SBOMs focus on 
known vulnerabilities. Some build on this by including vulnerability 
data in the SBOM itself. Others note that the existence and status of 
vulnerabilities can change over time, and there is no general guarantee 
or signal about whether the SBOM data is up-to-date relative to all 
relevant and applicable vulnerability data sources.
    j. Risk Management. Not all vulnerabilities in software code put 
operators or users at real risk from software built using those 
vulnerable components, as the risk could be mitigated elsewhere or 
deemed to be negligible. One approach to managing this might be to 
communicate that software is ``not affected'' by a specific 
vulnerability through a Vulnerability Exploitability eXchange (or 
``VEX''),\14\ but other solutions may exist.
---------------------------------------------------------------------------

    \14\ David Braue, Software `Bill of Materials' To Become 
Standard?, Info. Age (Oct. 22, 2020, 11:34 a.m.), https://ia.acs.org.au/article/2020/software-bill-of-materials-to-become-standard.html.
---------------------------------------------------------------------------

    4. Flexibility of implementation and potential requirements. If 
there are legitimate reasons why the above elements might be difficult 
to adopt or use for certain technologies, industries, or communities, 
how might the goals and use cases described above be fulfilled through 
alternate means? What accommodations and alternate approaches can 
deliver benefits while allowing for flexibility?
    Instructions for Commenters: NTIA invites comment on the full range 
of issues that may be presented in this Notice, including issues that 
are not specifically raised in the above questions. Commenters are 
encouraged to address any or all of the above questions. Comments that 
contain references to studies, research, and other empirical data that 
are not widely available should include copies of the referenced 
materials with the submitted comments. Comments submitted by email 
should be machine-readable and should not be copy-protected. Responders 
should include the name of the person or organization filing the 
comment, which will facilitate agency follow up for clarifications as 
necessary, as well as a page number on each page of their submissions. 
All comments received are a part of the public record and will be 
posted on regulations.gov

[[Page 29571]]

and the NTIA website, https://www.ntia.gov/, without change. All 
personal identifying information (for example, name, address) 
voluntarily submitted by the commenter may be publicly accessible. Do 
not submit confidential business information or otherwise sensitive or 
protected information.

    Dated: May 27, 2021.
Kathy D. Smith,
Chief Counsel, National Telecommunications and Information 
Administration.
[FR Doc. 2021-11592 Filed 6-1-21; 8:45 am]
BILLING CODE 3510-60-P