Fall 2024 Cybersecurity and Infrastructure Security Agency SBOM-a-Rama; Meeting, 43867-43868 [2024-10922]
Download as PDF
<![CDATA[
Federal Register / Vol. 89, No. 98 / Monday, May 20, 2024 / Notices
DEPARTMENT OF HOMELAND
SECURITY
Fall 2024 Cybersecurity and
Infrastructure Security Agency SBOMa-Rama; Meeting
Cybersecurity and
Infrastructure Security Agency (CISA),
Department of Homeland Security
(DHS).
ACTION: Announcement of public event.
AGENCY:
CISA will facilitate a public
event to build on existing communityled work around Software Bill of
Materials (SBOM) on specific SBOM
topics. The first goal of this two-day
event is to help the broader software
and security community understand the
current state of SBOM. Secondly, this
event will foster discussion between
organizations interested in exploring
SBOM automation solutions and those
focusing on open source and proprietary
tools.
DATES: Wednesday September 11, 2024
from 11:00 a.m. to 6:00 p.m., Eastern
Daylight Time, or 9:00 a.m. to 4:00 p.m.,
Mountain Daylight Time and Thursday
September 12, 2024 from 10:00 a.m. to
1:30 p.m., Eastern Daylight Time, or
8:00 a.m. to 11:30 a.m., Mountain
Daylight Time.
ADDRESSES: The event will be a hybrid
event held at the Denver Athletic Club,
1325 Glenarm Place, Denver CO 80204,
as well as virtually, with connection
information and dial-in information
available at https://www.cisa.gov/newsevents/events/sbom-rama-fall-2024. A
form to allow individuals to register
their interest in either in-person or
virtual participation will be available at
https://www.cisa.gov/news-events/
events/sbom-rama-fall-2024. See the
‘‘Participation in the SBOM-a-Rama’’
section in the SUPPLEMENTARY
INFORMATION caption for more
information on how to participate.
FOR FURTHER INFORMATION CONTACT:
Allan Friedman, (202) 961–4349, Email:
sbom@cisa.dhs.gov.
SUPPLEMENTARY INFORMATION: An SBOM
has been identified by the cybersecurity
community as a key aspect of modern
cybersecurity, including software
security and supply chain security.
Executive Order (E.O.) 14028 declares
that ‘‘the trust we place in our digital
infrastructure should be proportional to
how trustworthy and transparent that
infrastructure is, and to the
consequences we will incur if that trust
is misplaced.’’ 1 SBOMs play a key role
in providing this transparency.
lotter on DSK11XQN23PROD with NOTICES1
SUMMARY:
1 E.O. 14028, Improving the Nation’s
Cybersecurity, 1, 86 FR 26633 (May 17, 2021).
VerDate Sep<11>2014
19:14 May 17, 2024
Jkt 262001
E.O. 14028 defines SBOM as ‘‘a
formal record containing the details and
supply chain relationships of various
components used in building
software.’’ 2 The E.O. further notes that
‘‘. . .software developers and vendors
often create products by assembling
existing open source and commercial
software components. The SBOM
enumerates these components in a
product.’’ 3 Transparency from SBOMs
aids multiple parties across the software
lifecycle, including software developers,
purchasers, and operators.4 Recognizing
the importance of SBOMs in
transparency and security, and that
SBOM evolution and refinement is
likely to be most effective coming from
the community; CISA is facilitating a
public event which is intended to
advance the software and security
communities’ understanding of SBOM
creation, use, and implementation
across the broader technology
ecosystem.
I. SBOM Background
The idea of an SBOM is not novel.5
It has been discussed and explored in
the software industry for years, building
on industrial and supply chain
innovations.6 Academics identified the
potential value of a ‘‘software bill of
materials’’ as far back as 1995,7 and
tracking use of third-party code is a
longstanding software best practice.8
Still, SBOM generation and sharing
across the software supply chain was
not seen as a commonly accepted
practice in modern software. In 2018,
the National Telecommunications and
Information Administration (NTIA)
2 Id. at 10(j), 86 FR 26633 at 26646 (May 17,
2021).
3 Ibid.
4 Ibid.
5 A brief summary of the history of a software bill
of materials can be found in Carmody, S., Coravos,
A., Fahs, G. et al. Building resilient medical
technology supply chains with a software bill of
materials. npj Digit. Med. 4, 34 (2021). https://
doi.org/10.1038/s41746-021-00403-w.
6 See ‘‘Toyota Supply Chain Management: A
Strategic Approach to Toyota’s Renowned System’’
by Ananth V. Iyer, Sridhar Seshadri, and Roy
Vasher—a work about Edwards Deming’s Supply
Chain Management https://books.google.com/
books/about/Toyota_Supply_Chain_Management_
A_Strateg.html?id=JY5wqdelrg8C
7 Leblang D.B., Levine P.H., Software
configuration management: Why is it needed and
what should it do? In: Estublier J. (eds) Software
Configuration Management Lecture Notes in
Computer Science, vol. 1005, Springer, Berlin,
Heidelberg (1995).
8 The Software Assurance Forum for Excellence
in Code (SAFECode), an industry consortium, has
released a report on third party components that
cites a range of standards. Managing Security Risks
Inherent in the Use of Third-party Components,
SAFECode (May 2017), available at https://
www.safecode.org/wp-content/uploads/2017/05/
SAFECode_TPC_Whitepaper.pdf.
PO 00000
Frm 00068
Fmt 4703
Sfmt 4703
43867
convened the first multistakeholder
process to promote software component
transparency.9 Over the subsequent
three years, this stakeholder community
developed guidance to help foster the
idea of SBOM, including high-level
overviews, initial advice on
implementation, and technical
resources.10 When the NTIA-initiated
multistakeholder process concluded,
NTIA noted ‘‘what was an obscure idea
became a key part of the global agenda
around securing software supply
chains.’’ 11 In July 2022, CISA facilitated
eight public listening sessions around
four open topics (two for each topic):
Cloud & Online Applications, Sharing &
Exchanging SBOMs, Tooling &
Implementation, and On-ramps &
Adoption.12 These public listening
sessions resulted in the formation of
four public, community-led
workstreams around each of the four
topics. These groups have been
convening on a weekly basis since
August 2022. More information can be
found at https://cisa.gov/SBOM.
CISA believes that the concept of
SBOM and its implementation would
benefit from further refinement, and that
a broad-based community effort can
help scale and operationalize SBOM
implementation. To support such a
community effort to advance SBOM
technologies, processes, and practices,
CISA facilitated the 2023 CISA SBOMa-Rama and the Winter 2024 SBOM-aRama. These events reach a broader,
international audience, and allow the
exchange of information and ideas from
more perspectives. The Fall 2024
SBOM-a-Rama will build on the
previous events to offer updates as well
as present new discussion topics for
consideration by the community.
II. Topics for CISA SBOM-a-Rama
The goal of this event is to help the
broader software and security
community understand the current state
of SBOM and what efforts have been
made by different parts of the SBOM
community, including CISA-facilitated,
community-led work and other activity
from sectors and governments.
Attendees are invited to ask questions,
share comments, and raise further issues
9 National Telecommunications and Information
Administration (NTIA), Notice of Open Meeting, 83
FR 26434 (June 7, 2018).
10 Ntia.gov/SBOM.
11 NTIA, Marking the Conclusion of NTIA’s
SBOM Process (Feb. 9, 2022), https://
www.ntia.doc.gov/blog/2022/marking-conclusionntia-s-sbom-process.
12 Public Listening Sessions on Advancing SBOM
Technology, Processes, and Practices, https://
www.federalregister.gov/documents/2022/06/01/
2022-11733/public-listening-sessions-on-advancingsbom-technology-processes-and-practices.
E:\FR\FM\20MYN1.SGM
20MYN1
43868
Federal Register / Vol. 89, No. 98 / Monday, May 20, 2024 / Notices
that need attention. CISA will also
facilitate conversations on how the
community can most efficiently make
progress in addressing gaps in the
SBOM ecosystem. One key focus of this
event will be the need for tools to
automate SBOM creation, management,
and consumption.
A full agenda will be posted in
advance of the meeting at https://
www.cisa.gov/news-events/events/sbomrama-fall-2024.
III. Participation in the SBOM-a-Rama
This event is open to the public. CISA
welcomes participation from anyone
interested in learning about the current
state of SBOM practice and
implementation including private sector
practitioners, policy experts, academics,
and representatives from non-U.S.
organizations. Additional information,
including the meeting link, will be
available one week before the meeting
date at https://www.cisa.gov/SBOM.
This notice is issued under the
authority of 6 U.S.C. 652(c)(10)–(11) and
6 U.S.C. 659(c)(4).
Eric Goldstein,
Executive Assistant Director for
Cybersecurity, Cybersecurity and
Infrastructure Security Agency, Department
of Homeland Security.
[FR Doc. 2024–10922 Filed 5–17–24; 8:45 am]
BILLING CODE 9111–LF–P
DEPARTMENT OF HOUSING AND
URBAN DEVELOPMENT
[Docket No. FR–7080–N–23]
30-Day Notice of Proposed Information
Collection: Request for Project
Construction Changes on Project
Mortgages, (Form HUD–92437), OMB
Control Number: 2502–0011
Office of Policy Development
and Research, Chief Data Officer, HUD.
ACTION: Notice.
AGENCY:
HUD is seeking approval from
the Office of Management and Budget
(OMB) for the information collection
described below. In accordance with the
Paperwork Reduction Act, HUD is
requesting comment from all interested
parties on the proposed collection of
information. The purpose of this notice
is to allow for an additional 30 days of
public comment.
DATES: Comments Due Date: June 20,
2024.
ADDRESSES: Interested persons are
invited to submit comments regarding
this proposal. Written comments and
recommendations for the proposed
information collection should be sent
lotter on DSK11XQN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
19:14 May 17, 2024
Jkt 262001
within 30 days of publication of this
notice to www.reginfo.gov/public/do/
PRAMain. Find this particular
information collection by selecting
‘‘Currently under 30-day Review—Open
for Public Comments’’ or by using the
search function. Interested persons are
also invited to submit comments
regarding this proposal and comments
should refer to the proposal by name
and/or OMB Control Number and
should be sent to: Colette Pollard,
Clearance Officer, REE, Department of
Housing and Urban Development, 451
7th Street SW, Room 8210, Washington,
DC 20410–5000; email
PaperworkReductionActOffice@
hud.gov.
FOR FURTHER INFORMATION CONTACT:
Colette Pollard, Reports Management
Officer, REE, Department of Housing
and Urban Development, 451 7th Street
SW, Washington, DC 20410; email
Colette.Pollard@hud.gov or telephone
202–402–3400. This is not a toll-free
number. HUD welcomes and is prepared
to receive calls from individuals who
are deaf or hard of hearing, as well as
individuals with speech and
communication disabilities. To learn
more about how to make an accessible
telephone call, please visit https://
www.fcc.gov/consumers/guides/
telecommunications-relay-service-trs.
Copies of available documents
submitted to OMB may be obtained
from Ms. Pollard.
SUPPLEMENTARY INFORMATION: This
notice informs the public that HUD is
seeking approval from OMB for the
information collection described in
Section A.
The Federal Register notice that
solicited public comment on the
information collection for a period of 60
days was published on December 5,
2023 at 88 FR 84347.
A. Overview of Information Collection
Title of Information Collection:
Request for Construction on Project
Mortgages.
OMB Approval Number: 2502–0011.
Type of Request: Reinstatement, with
change, of previously approved
collection for which approval has
expired.
Form Number: HUD–92437.
Description of the need for the
information and proposed use: The
previous OMB collection reflects an
accurate assessment of the numbers
submitted under this collection, which
once included three forms. The specific
forms, HUD–92441, HUD–92442, and
HUD–92442–A, were removed from this
collection and placed under the
Multifamily Closing OMB control
PO 00000
Frm 00069
Fmt 4703
Sfmt 9990
number 2502–0598. The current
numbers are based on the average of
three fiscal years of initial
endorsements. Each use of form HUD–
92437 serves as an official project
change order that includes changes to
contract work, contract price, or
contract time. All on-site construction
changes are submitted on this form. The
contractor, architect, mortgagor, and
mortgagee must approve the proposed
changes before the request is submitted
to HUD for approval. The form ensures
that viable projects are developed.
Respondents: Individuals
participating in HUD Multifamily
mortgage insurance programs are
principals of the sponsor(s),
mortgagor(s), and general contractor.
Estimated Number of Respondents:
1,174.
Estimated Number of Responses:
3,522.
Frequency of Response: 3.
Average Hours per Response: 2.
Total Estimated Burden: 7,044.
B. Solicitation of Public Comment
This notice is soliciting comments
from members of the public and affected
parties concerning the collection of
information described in Section A on
the following:
(1) Whether the proposed collection
of information is necessary for the
proper performance of the functions of
the agency, including whether the
information will have practical utility;
(2) The accuracy of the agency’s
estimate of the burden of the proposed
collection of information;
(3) Ways to enhance the quality,
utility, and clarity of the information to
be collected; and
(4) Ways to minimize the burden of
the collection of information on those
who are to respond; including through
the use of appropriate automated
collection techniques or other forms of
information technology, e.g., permitting
electronic submission of responses.
(5) ways to minimize the burden of
the collection of information on those
who are to respond, including the use
of automated collection techniques or
other forms of information technology.
HUD encourages interested parties to
submit comments in response to these
questions.
C. Authority
Section 3507 of the Paperwork
Reduction Act of 1995, 44 U.S.C. 3507.
Colette Pollard,
Department Reports Management Officer,
Office of Policy Development and Research,
Chief Data Officer.
[FR Doc. 2024–10923 Filed 5–17–24; 8:45 am]
BILLING CODE 4210–67–P
E:\FR\FM\20MYN1.SGM
20MYN1
]]>Agencies
[Federal Register Volume 89, Number 98 (Monday, May 20, 2024)]
[Notices]
[Pages 43867-43868]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-10922]
[[Page 43867]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Fall 2024 Cybersecurity and Infrastructure Security Agency SBOM-
a-Rama; Meeting
AGENCY: Cybersecurity and Infrastructure Security Agency (CISA),
Department of Homeland Security (DHS).
ACTION: Announcement of public event.
-----------------------------------------------------------------------
SUMMARY: CISA will facilitate a public event to build on existing
community-led work around Software Bill of Materials (SBOM) on specific
SBOM topics. The first goal of this two-day event is to help the
broader software and security community understand the current state of
SBOM. Secondly, this event will foster discussion between organizations
interested in exploring SBOM automation solutions and those focusing on
open source and proprietary tools.
DATES: Wednesday September 11, 2024 from 11:00 a.m. to 6:00 p.m.,
Eastern Daylight Time, or 9:00 a.m. to 4:00 p.m., Mountain Daylight
Time and Thursday September 12, 2024 from 10:00 a.m. to 1:30 p.m.,
Eastern Daylight Time, or 8:00 a.m. to 11:30 a.m., Mountain Daylight
Time.
ADDRESSES: The event will be a hybrid event held at the Denver Athletic
Club, 1325 Glenarm Place, Denver CO 80204, as well as virtually, with
connection information and dial-in information available at https://www.cisa.gov/news-events/events/sbom-rama-fall-2024. A form to allow
individuals to register their interest in either in-person or virtual
participation will be available at https://www.cisa.gov/news-events/events/sbom-rama-fall-2024. See the ``Participation in the SBOM-a-
Rama'' section in the SUPPLEMENTARY INFORMATION caption for more
information on how to participate.
FOR FURTHER INFORMATION CONTACT: Allan Friedman, (202) 961-4349, Email:
[email protected].
SUPPLEMENTARY INFORMATION: An SBOM has been identified by the
cybersecurity community as a key aspect of modern cybersecurity,
including software security and supply chain security. Executive Order
(E.O.) 14028 declares that ``the trust we place in our digital
infrastructure should be proportional to how trustworthy and
transparent that infrastructure is, and to the consequences we will
incur if that trust is misplaced.'' \1\ SBOMs play a key role in
providing this transparency.
---------------------------------------------------------------------------
\1\ E.O. 14028, Improving the Nation's Cybersecurity, 1, 86 FR
26633 (May 17, 2021).
---------------------------------------------------------------------------
E.O. 14028 defines SBOM as ``a formal record containing the details
and supply chain relationships of various components used in building
software.'' \2\ The E.O. further notes that ``. . .software developers
and vendors often create products by assembling existing open source
and commercial software components. The SBOM enumerates these
components in a product.'' \3\ Transparency from SBOMs aids multiple
parties across the software lifecycle, including software developers,
purchasers, and operators.\4\ Recognizing the importance of SBOMs in
transparency and security, and that SBOM evolution and refinement is
likely to be most effective coming from the community; CISA is
facilitating a public event which is intended to advance the software
and security communities' understanding of SBOM creation, use, and
implementation across the broader technology ecosystem.
---------------------------------------------------------------------------
\2\ Id. at 10(j), 86 FR 26633 at 26646 (May 17, 2021).
\3\ Ibid.
\4\ Ibid.
---------------------------------------------------------------------------
I. SBOM Background
The idea of an SBOM is not novel.\5\ It has been discussed and
explored in the software industry for years, building on industrial and
supply chain innovations.\6\ Academics identified the potential value
of a ``software bill of materials'' as far back as 1995,\7\ and
tracking use of third-party code is a longstanding software best
practice.\8\
---------------------------------------------------------------------------
\5\ A brief summary of the history of a software bill of
materials can be found in Carmody, S., Coravos, A., Fahs, G. et al.
Building resilient medical technology supply chains with a software
bill of materials. npj Digit. Med. 4, 34 (2021). https://doi.org/10.1038/s41746-021-00403-w.
\6\ See ``Toyota Supply Chain Management: A Strategic Approach
to Toyota's Renowned System'' by Ananth V. Iyer, Sridhar Seshadri,
and Roy Vasher--a work about Edwards Deming's Supply Chain
Management https://books.google.com/books/about/Toyota_Supply_Chain_Management_A_Strateg.html?id=JY5wqdelrg8C
\7\ Leblang D.B., Levine P.H., Software configuration
management: Why is it needed and what should it do? In: Estublier J.
(eds) Software Configuration Management Lecture Notes in Computer
Science, vol. 1005, Springer, Berlin, Heidelberg (1995).
\8\ The Software Assurance Forum for Excellence in Code
(SAFECode), an industry consortium, has released a report on third
party components that cites a range of standards. Managing Security
Risks Inherent in the Use of Third-party Components, SAFECode (May
2017), available at https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf.
---------------------------------------------------------------------------
Still, SBOM generation and sharing across the software supply chain
was not seen as a commonly accepted practice in modern software. In
2018, the National Telecommunications and Information Administration
(NTIA) convened the first multistakeholder process to promote software
component transparency.\9\ Over the subsequent three years, this
stakeholder community developed guidance to help foster the idea of
SBOM, including high-level overviews, initial advice on implementation,
and technical resources.\10\ When the NTIA-initiated multistakeholder
process concluded, NTIA noted ``what was an obscure idea became a key
part of the global agenda around securing software supply chains.''
\11\ In July 2022, CISA facilitated eight public listening sessions
around four open topics (two for each topic): Cloud & Online
Applications, Sharing & Exchanging SBOMs, Tooling & Implementation, and
On-ramps & Adoption.\12\ These public listening sessions resulted in
the formation of four public, community-led workstreams around each of
the four topics. These groups have been convening on a weekly basis
since August 2022. More information can be found at https://cisa.gov/SBOM.
---------------------------------------------------------------------------
\9\ National Telecommunications and Information Administration
(NTIA), Notice of Open Meeting, 83 FR 26434 (June 7, 2018).
\10\ Ntia.gov/SBOM.
\11\ NTIA, Marking the Conclusion of NTIA's SBOM Process (Feb.
9, 2022), https://www.ntia.doc.gov/blog/2022/marking-conclusion-ntia-s-sbom-process.
\12\ Public Listening Sessions on Advancing SBOM Technology,
Processes, and Practices, https://www.federalregister.gov/documents/2022/06/01/2022-11733/public-listening-sessions-on-advancing-sbom-technology-processes-and-practices.
---------------------------------------------------------------------------
CISA believes that the concept of SBOM and its implementation would
benefit from further refinement, and that a broad-based community
effort can help scale and operationalize SBOM implementation. To
support such a community effort to advance SBOM technologies,
processes, and practices, CISA facilitated the 2023 CISA SBOM-a-Rama
and the Winter 2024 SBOM-a-Rama. These events reach a broader,
international audience, and allow the exchange of information and ideas
from more perspectives. The Fall 2024 SBOM-a-Rama will build on the
previous events to offer updates as well as present new discussion
topics for consideration by the community.
II. Topics for CISA SBOM-a-Rama
The goal of this event is to help the broader software and security
community understand the current state of SBOM and what efforts have
been made by different parts of the SBOM community, including CISA-
facilitated, community-led work and other activity from sectors and
governments. Attendees are invited to ask questions, share comments,
and raise further issues
[[Page 43868]]
that need attention. CISA will also facilitate conversations on how the
community can most efficiently make progress in addressing gaps in the
SBOM ecosystem. One key focus of this event will be the need for tools
to automate SBOM creation, management, and consumption.
A full agenda will be posted in advance of the meeting at https://www.cisa.gov/news-events/events/sbom-rama-fall-2024.
III. Participation in the SBOM-a-Rama
This event is open to the public. CISA welcomes participation from
anyone interested in learning about the current state of SBOM practice
and implementation including private sector practitioners, policy
experts, academics, and representatives from non-U.S. organizations.
Additional information, including the meeting link, will be available
one week before the meeting date at https://www.cisa.gov/SBOM.
This notice is issued under the authority of 6 U.S.C. 652(c)(10)-
(11) and 6 U.S.C. 659(c)(4).
Eric Goldstein,
Executive Assistant Director for Cybersecurity, Cybersecurity and
Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2024-10922 Filed 5-17-24; 8:45 am]
BILLING CODE 9111-LF-P
