2023 CISA SBOM-a-Rama, 32781-32782 [2023-10825]
Download as PDF
<![CDATA[
Federal Register / Vol. 88, No. 98 / Monday, May 22, 2023 / Notices
Dated: May 9, 2023.
Jeffrey G. Lantz,
Director of Commercial Regulations and
Standards.
[FR Doc. 2023–10816 Filed 5–19–23; 8:45 am]
BILLING CODE 9110–04–P
DEPARTMENT OF HOMELAND
SECURITY
2023 CISA SBOM-a-Rama
Cybersecurity and
Infrastructure Security Agency, DHS.
ACTION: Announcement of public event.
AGENCY:
The Cybersecurity and
Infrastructure Security Agency will
facilitate a public event to build on
existing community-led work around
Software Bill of Materials (‘‘SBOM’’) on
specific SBOM topics.
DATES: Wednesday June 14, 2023, from
12:00 p.m. to 6:00 p.m., Eastern
Standard Time, or 9:00 a.m. to 3:00
p.m., Pacific Standard Time.
ADDRESSES: The event will be a hybrid
event held at the USC Hotel, 3540 S
Figueroa St, Los Angeles, CA 90007, as
well as virtually, with connection
information and dial-in information
available at https://www.cisa.gov/
SBOM. A form to allow individuals to
register their interest in either in-person
or virtual participation will be available
at https://cisa.gov/SBOM. See the
‘‘Participation in the SBOM-a-Rama’’
section in the SUPPLEMENTARY
INFORMATION caption for more
information on how to participate.
FOR FURTHER INFORMATION CONTACT:
Justin Murphy, (202) 961–4350, Email:
justin.murphy@cisa.dhs.gov.
SUPPLEMENTARY INFORMATION: A
Software Bill of Materials (‘‘SBOM’’) has
been identified by the cybersecurity
community as a key aspect of modern
cybersecurity, including software
security and supply chain security.
Executive Order 14028 declares that
‘‘the trust we place in our digital
infrastructure should be proportional to
how trustworthy and transparent that
infrastructure is, and to the
consequences we will incur if that trust
is misplaced.’’ 1 SBOMs play a key role
in providing this transparency.
E.O. 14028 defines SBOM as ‘‘a
formal record containing the details and
supply chain relationships of various
components used in building
software.’’ 2 The E.O. further notes that
‘‘[s]oftware developers and vendors
ddrumheller on DSK120RN23PROD with NOTICES1
SUMMARY:
1 E.O. 14028, Improving the Nation’s
Cybersecurity, 1, 86 FR 26633 (May 17, 2021).
2 Id. at 10(j), 86 FR 26633 at 26646 (May 17,
2021).
VerDate Sep<11>2014
18:54 May 19, 2023
Jkt 259001
often create products by assembling
existing open source and commercial
software components. The SBOM
enumerates these components in a
product.’’ 3 Transparency from SBOMs
aids multiple parties across the software
lifecycle, including software developers,
purchasers, and operators.4 Recognizing
the importance of SBOMs in
transparency and security, and that
SBOM evolution and refinement would
be most effective coming from the
community, the Cybersecurity and
Infrastructure Security Agency (CISA) is
facilitating a public event around
SBOM, which is intended to advance
the software and security communities’
understanding of SBOM creation, use,
and implementation across the broader
technology ecosystem.
I. SBOM Background
The idea of a software bill of materials
is not novel.5 It has been discussed and
explored in the software industry for
many years, building on industrial and
supply chain innovations.6 Academics
identified the potential value of a
‘‘software bill of materials’’ as far back
as 1995,7 and tracking use of third-party
code is a longstanding software best
practice.8
Still, SBOM generation and sharing
across the software supply chain was
not seen as a commonly accepted
practice in modern software. In 2018,
the National Telecommunications and
Information Administration (NTIA)
convened the first ‘‘multistakeholder
process’’ to ‘‘promot[e] software
component transparency.’’ 9 Over the
subsequent three years, this stakeholder
3 Ibid.
4 Ibid.
5 A brief summary of the history of a software bill
of materials can be found in Carmody, S., Coravos,
A., Fahs, G. et al. Building resilient medical
technology supply chains with a software bill of
materials. npj Digit. Med. 4, 34 (2021). https://
doi.org/10.1038/s41746-021-00403-w.
6 See ‘‘Toyota Supply Chain Management: A
Strategic Approach to Toyota’s Renowned System’’
by Ananth V. Iyer, Sridhar Seshadri, and Roy
Vasher—a work about Edwards Deming’s Supply
Chain Management https://books.google.com/
books/about/Toyota_Supply_Chain_Management_
A_Strateg.html?id=JY5wqdelrg8C.
7 Leblang D.B., Levine P.H., Software
configuration management: Why is it needed and
what should it do? In: Estublier J. (eds) Software
Configuration Management Lecture Notes in
Computer Science, vol. 1005, Springer, Berlin,
Heidelberg (1995).
8 The Software Assurance Forum for Excellence
in Code (SAFECode), an industry consortium, has
released a report on third party components that
cites a range of standards. Managing Security Risks
Inherent in the Use of Third-party Components,
SAFECode (May 2017), available at https://
www.safecode.org/wp-content/uploads/2017/05/
SAFECode_TPC_Whitepaper.pdf.
9 National Telecommunications and Information
Administration (NTIA), Notice of Open Meeting, 83
FR 26434 (June 7, 2018).
PO 00000
Frm 00061
Fmt 4703
Sfmt 4703
32781
community developed guidance to help
foster the idea of SBOM, including highlevel overviews, initial advice on
implementation, and technical
resources.10 When the NTIA-initiated
multistakeholder process concluded,
NTIA noted that ‘‘what was an obscure
idea became a key part of the global
agenda around securing software supply
chains.’’ 11 In July 2022, CISA facilitated
eight public listening sessions 12 around
four open topics (two for each topic):
Cloud & Online Applications, Sharing &
Exchanging SBOMs, Tooling &
Implementation, and On-ramps &
Adoption. These public listening
sessions resulted in the formation of
four public, community-led
workstreams around each of the four
topics. The groups have been convening
on a weekly basis since August 2022.
More information can be found at
https://cisa.gov/SBOM.
CISA believes that the concept of
SBOM and its implementation need
further refinement. Work to help scale
and operationalize SBOM
implementation should continue to
come from a broad-based community
effort, rather than be dictated by any
specific entity. To support such a
community effort to advance SBOM
technologies, processes, and practices,
CISA will facilitate the 2023 CISA
SBOM-a-Rama.
II. Topics for CISA SBOM-a-Rama
The goal of this meeting is to help the
broader software and security
community understand the current state
of SBOM and what efforts have been
made by different parts of the SBOM
community, including CISA-facilitated
community-led work and other activity
from sectors and governments.
Attendees are invited to ask questions,
share comments, and raise further issues
that need attention. Specific
presentations will be made on the
community-led efforts around sharing
SBOMs, cloud and online applications,
tools and implementation, the
Vulnerability Exploitability eXchange
(VEX) model, and SBOM on-ramps and
adoption. The event will also feature
presentations and discussion on sectors’
and governments’ efforts around the
world.
10 Ntia.gov/SBOM.
11 NTIA, Marking the Conclusion of NTIA’s
SBOM Process (Feb. 9, 2022), https://
www.ntia.doc.gov/blog/2022/marking-conclusionntia-s-sbom-process.
12 Public Listening Sessions on Advancing SBOM
Technology, Processes, and Practices, https://
www.federalregister.gov/documents/2022/06/01/
2022-11733/public-listening-sessions-on-advancingsbom-technology-processes-and-practices.
E:\FR\FM\22MYN1.SGM
22MYN1
32782
Federal Register / Vol. 88, No. 98 / Monday, May 22, 2023 / Notices
A full agenda will be posted in
advance of the meeting at https://
cisa.gov/SBOM.
information. The purpose of this notice
is to allow for 60 days of public
comment.
III. Participation in the SBOM-a-Rama
This event is open to anyone. CISA
welcomes participation from anyone
interested in learning about the current
state of SBOM practice and
implementation, including private
sector practitioners, policy experts,
academics, and representatives from
non-U.S. organizations. A form to allow
individuals to register their interest in
either in-person or virtual participation
will be available at https://cisa.gov/
SBOM.
Additional information regarding the
2023 CISA SBOM-a-Rama will be posted
at https://cisa.gov/SBOM.
This notice is issued under the
authority of 6 U.S.C. 652(c)(10)–(11),
659(c)(4), (9), (12).
DATES:
Eric Goldstein,
Executive Assistant Director for
Cybersecurity, Cybersecurity and
Infrastructure Security Agency, Department
of Homeland Security.
[FR Doc. 2023–10825 Filed 5–19–23; 8:45 am]
Interested persons are
invited to submit comments regarding
this proposal. Written comments and
recommendations for the proposed
information collection can be sent
within 60 days of publication of this
notice to www.reginfo.gov/public/do/
PRAMain. Find this particular
information collection by selecting
‘‘Currently under 60-day Review—Open
for Public Comments’’ or by using the
search function. Interested persons are
also invited to submit comments
regarding this proposal by name and/or
OMB Control Number and can be sent
to Colette Pollard, Reports Management
Officer, REE, Department of Housing
and Urban Development, 451 7th Street
SW, Room 8210, Washington, DC
20410–5000; or email at
PaperworkReductionActOffice@
hud.gov.
ADDRESSES:
FOR FURTHER INFORMATION CONTACT:
BILLING CODE 9110–9P–P
DEPARTMENT OF HOUSING AND
URBAN DEVELOPMENT
[Docket No. FR–7066–N–07]
60-Day Notice of Proposed Information
Collection: Community Development
Block Grant-Pathways to Removing
Obstacles (CDBG–PRO) Housing
Competition Application Collection;
OMB Control No.: 2506–New
Office of Community Planning
and Development, HUD.
ACTION: Notice.
AGENCY:
HUD is seeking approval from
the Office of Management and Budget
(OMB) for the information collection
described below. In accordance with the
Paperwork Reduction Act, HUD is
requesting comment from all interested
parties on the proposed collection of
SUMMARY:
ddrumheller on DSK120RN23PROD with NOTICES1
Comments Due Date: July 21,
2023.
Jessie Handforth Kome, Director, Office
of Block Grant Assistance, Office of
Community Planning and Development,
Department of Housing and Urban
Development, 451 7th Street SW, Room
7282, Washington, DC 20410, telephone
number 202–708–3587 x5539 (this is
not a toll-free number). Facsimile
inquiries may be sent to Ms. Jessie
Handforth Kome at 202–708–0033.
Except for the ‘‘800’’ number, these
telephone numbers are not toll-free.
HUD welcomes and is prepared to
receive calls from individuals who are
deaf or hard of hearing, as well as
individuals with speech or
communication disabilities. To learn
more about how to make an accessible
telephone call, please visit https://
www.fcc.gov/consumers/guides/
telecommunications-relay-service-trs.
Copies of available documents
submitted to OMB may be obtained
from Ms. Pollard.
This
notice informs the public that HUD is
seeking approval from OMB for the
information collection described in
section A.
SUPPLEMENTARY INFORMATION:
A. Overview of Information Collection
Title of Information Collection:
CDBG–PRO Housing Competition
Application Collection.
OMB Approval Number: 2506–New.
Type of Request: New collection.
Form Number: N/A.
Description of the need for the
information and proposed use: HUD is
issuing this NOFO under the authority
of the Consolidated Appropriations Act,
2023 (Pub. L. 117–328, enacted
December 29, 2022) (Appropriations
Act) for the identification and removal
of barriers to affordable housing
production and preservation. The most
successful proposals in this competition
will demonstrate not only how
applicants identify and remove
affordable housing barriers within their
jurisdiction(s), but also demonstrate: (1)
progress and a commitment to
overcoming local barriers to facilitate
the increase in affordable housing
production and preservation; and (2) an
acute demand for housing affordable to
households with incomes below 100
percent of the area median income.
HUD encourages applicants to also
consider how their proposed activities
will address issues related to affordable
housing production and preservation,
such as advancing equity, locating
affordable housing near transit and
other services, and developing and
preserving affordable housing in
accordance with input from community
members and other stakeholders.
Respondents: State and local
governments, metropolitan planning
organizations and multijurisdictional
entities.
Estimated Number of Respondents:
100+.
Estimated Number of Responses: 100.
Frequency of Response: 1.
Average Hours per Response: 3.
Total Estimated Burdens: $11,676.
Information collection
Number of
respondents
Frequency of
response
Responses
per annum
Burden hour
per response
Annual burden
hours
Hourly cost
per response
Annual cost
See above ....................
100
1
100
3
300
$38.92
$11,676
B. Solicitation of Public Comment
This notice is soliciting comments
from members of the public and affected
parties concerning the collection of
information described in Section A on
the following:
VerDate Sep<11>2014
18:54 May 19, 2023
Jkt 259001
(1) Whether the proposed collection
of information is necessary for the
proper performance of the functions of
the agency, including whether the
information will have practical utility;
PO 00000
Frm 00062
Fmt 4703
Sfmt 4703
(2) The accuracy of the agency’s
estimate of the burden of the proposed
collection of information;
(3) Ways to enhance the quality,
utility, and clarity of the information to
be collected; and
E:\FR\FM\22MYN1.SGM
22MYN1
]]>Agencies
[Federal Register Volume 88, Number 98 (Monday, May 22, 2023)]
[Notices]
[Pages 32781-32782]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-10825]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
2023 CISA SBOM-a-Rama
AGENCY: Cybersecurity and Infrastructure Security Agency, DHS.
ACTION: Announcement of public event.
-----------------------------------------------------------------------
SUMMARY: The Cybersecurity and Infrastructure Security Agency will
facilitate a public event to build on existing community-led work
around Software Bill of Materials (``SBOM'') on specific SBOM topics.
DATES: Wednesday June 14, 2023, from 12:00 p.m. to 6:00 p.m., Eastern
Standard Time, or 9:00 a.m. to 3:00 p.m., Pacific Standard Time.
ADDRESSES: The event will be a hybrid event held at the USC Hotel, 3540
S Figueroa St, Los Angeles, CA 90007, as well as virtually, with
connection information and dial-in information available at https://www.cisa.gov/SBOM. A form to allow individuals to register their
interest in either in-person or virtual participation will be available
at https://cisa.gov/SBOM. See the ``Participation in the SBOM-a-Rama''
section in the SUPPLEMENTARY INFORMATION caption for more information
on how to participate.
FOR FURTHER INFORMATION CONTACT: Justin Murphy, (202) 961-4350, Email:
[email protected].
SUPPLEMENTARY INFORMATION: A Software Bill of Materials (``SBOM'') has
been identified by the cybersecurity community as a key aspect of
modern cybersecurity, including software security and supply chain
security. Executive Order 14028 declares that ``the trust we place in
our digital infrastructure should be proportional to how trustworthy
and transparent that infrastructure is, and to the consequences we will
incur if that trust is misplaced.'' \1\ SBOMs play a key role in
providing this transparency.
---------------------------------------------------------------------------
\1\ E.O. 14028, Improving the Nation's Cybersecurity, 1, 86 FR
26633 (May 17, 2021).
---------------------------------------------------------------------------
E.O. 14028 defines SBOM as ``a formal record containing the details
and supply chain relationships of various components used in building
software.'' \2\ The E.O. further notes that ``[s]oftware developers and
vendors often create products by assembling existing open source and
commercial software components. The SBOM enumerates these components in
a product.'' \3\ Transparency from SBOMs aids multiple parties across
the software lifecycle, including software developers, purchasers, and
operators.\4\ Recognizing the importance of SBOMs in transparency and
security, and that SBOM evolution and refinement would be most
effective coming from the community, the Cybersecurity and
Infrastructure Security Agency (CISA) is facilitating a public event
around SBOM, which is intended to advance the software and security
communities' understanding of SBOM creation, use, and implementation
across the broader technology ecosystem.
---------------------------------------------------------------------------
\2\ Id. at 10(j), 86 FR 26633 at 26646 (May 17, 2021).
\3\ Ibid.
\4\ Ibid.
---------------------------------------------------------------------------
I. SBOM Background
The idea of a software bill of materials is not novel.\5\ It has
been discussed and explored in the software industry for many years,
building on industrial and supply chain innovations.\6\ Academics
identified the potential value of a ``software bill of materials'' as
far back as 1995,\7\ and tracking use of third-party code is a
longstanding software best practice.\8\
---------------------------------------------------------------------------
\5\ A brief summary of the history of a software bill of
materials can be found in Carmody, S., Coravos, A., Fahs, G. et al.
Building resilient medical technology supply chains with a software
bill of materials. npj Digit. Med. 4, 34 (2021). https://doi.org/10.1038/s41746-021-00403-w.
\6\ See ``Toyota Supply Chain Management: A Strategic Approach
to Toyota's Renowned System'' by Ananth V. Iyer, Sridhar Seshadri,
and Roy Vasher--a work about Edwards Deming's Supply Chain
Management https://books.google.com/books/about/Toyota_Supply_Chain_Management_A_Strateg.html?id=JY5wqdelrg8C.
\7\ Leblang D.B., Levine P.H., Software configuration
management: Why is it needed and what should it do? In: Estublier J.
(eds) Software Configuration Management Lecture Notes in Computer
Science, vol. 1005, Springer, Berlin, Heidelberg (1995).
\8\ The Software Assurance Forum for Excellence in Code
(SAFECode), an industry consortium, has released a report on third
party components that cites a range of standards. Managing Security
Risks Inherent in the Use of Third-party Components, SAFECode (May
2017), available at https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf.
---------------------------------------------------------------------------
Still, SBOM generation and sharing across the software supply chain
was not seen as a commonly accepted practice in modern software. In
2018, the National Telecommunications and Information Administration
(NTIA) convened the first ``multistakeholder process'' to ``promot[e]
software component transparency.'' \9\ Over the subsequent three years,
this stakeholder community developed guidance to help foster the idea
of SBOM, including high-level overviews, initial advice on
implementation, and technical resources.\10\ When the NTIA-initiated
multistakeholder process concluded, NTIA noted that ``what was an
obscure idea became a key part of the global agenda around securing
software supply chains.'' \11\ In July 2022, CISA facilitated eight
public listening sessions \12\ around four open topics (two for each
topic): Cloud & Online Applications, Sharing & Exchanging SBOMs,
Tooling & Implementation, and On-ramps & Adoption. These public
listening sessions resulted in the formation of four public, community-
led workstreams around each of the four topics. The groups have been
convening on a weekly basis since August 2022. More information can be
found at https://cisa.gov/SBOM.
---------------------------------------------------------------------------
\9\ National Telecommunications and Information Administration
(NTIA), Notice of Open Meeting, 83 FR 26434 (June 7, 2018).
\10\ Ntia.gov/SBOM.
\11\ NTIA, Marking the Conclusion of NTIA's SBOM Process (Feb.
9, 2022), https://www.ntia.doc.gov/blog/2022/marking-conclusion-ntia-s-sbom-process.
\12\ Public Listening Sessions on Advancing SBOM Technology,
Processes, and Practices, https://www.federalregister.gov/documents/2022/06/01/2022-11733/public-listening-sessions-on-advancing-sbom-technology-processes-and-practices.
---------------------------------------------------------------------------
CISA believes that the concept of SBOM and its implementation need
further refinement. Work to help scale and operationalize SBOM
implementation should continue to come from a broad-based community
effort, rather than be dictated by any specific entity. To support such
a community effort to advance SBOM technologies, processes, and
practices, CISA will facilitate the 2023 CISA SBOM-a-Rama.
II. Topics for CISA SBOM-a-Rama
The goal of this meeting is to help the broader software and
security community understand the current state of SBOM and what
efforts have been made by different parts of the SBOM community,
including CISA-facilitated community-led work and other activity from
sectors and governments. Attendees are invited to ask questions, share
comments, and raise further issues that need attention. Specific
presentations will be made on the community-led efforts around sharing
SBOMs, cloud and online applications, tools and implementation, the
Vulnerability Exploitability eXchange (VEX) model, and SBOM on-ramps
and adoption. The event will also feature presentations and discussion
on sectors' and governments' efforts around the world.
[[Page 32782]]
A full agenda will be posted in advance of the meeting at https://cisa.gov/SBOM.
III. Participation in the SBOM-a-Rama
This event is open to anyone. CISA welcomes participation from
anyone interested in learning about the current state of SBOM practice
and implementation, including private sector practitioners, policy
experts, academics, and representatives from non-U.S. organizations. A
form to allow individuals to register their interest in either in-
person or virtual participation will be available at https://cisa.gov/SBOM.
Additional information regarding the 2023 CISA SBOM-a-Rama will be
posted at https://cisa.gov/SBOM.
This notice is issued under the authority of 6 U.S.C. 652(c)(10)-
(11), 659(c)(4), (9), (12).
Eric Goldstein,
Executive Assistant Director for Cybersecurity, Cybersecurity and
Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2023-10825 Filed 5-19-23; 8:45 am]
BILLING CODE 9110-9P-P
