NIST SP 800-218: Secure Software Development Framework
The NIST-published guidance for complying with the Cybersecurity Executive Order, asks makers of commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) software to: “Collect, maintain, and share provenance data for all components and other dependencies of each software release (e.g., in a Software Bill of Materials [SBOM]).”
In short, every software supplier to federal agencies now has two deliverables - the software and a Software Bill of Materials.
In this paper, you will learn:
• Why SBOMs have taken center stage for managing supply chain risk
• How SBOM requirements have evolved beyond just open source
• What it takes to make SBOM generation part of daily activities
National Institute of Standards and Technology (NIST) publishes standards for the secure software development life cycle (SDLC) and enhancing software supply chain risk management practices. Guidance also includes criteria for secure software development environments, using automated tools to identify vulnerabilities in code, maintaining accurate and up-to-date data, provenance of software code or components, and providing a Software Bill of Materials (SBOM) to purchasers of software.