4-6 November | Sheraton Grand Doha, Qatar

SBOMS: BOMS for Vulnerability Tracking. Boom or Bust (A13c)

04 Nov 2024
5:00 pm

SBOMS: BOMS for Vulnerability Tracking. Boom or Bust (A13c)

NIAP started an SBOM pilot on March 1, 2024 (Policy 30 https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/policy-ltr-30.pdf and https://www.niap-ccevs.org/Documents_and_Guidance/policy-ltr-30-add1.pdf) for NIAP’s Application Software Protection Profile (https://www.niap-ccevs.org/Profile/Info.cfm?PPID=462&id=462). The purpose of this project is the usage of SBOMs for vulnerability tracking rather than creating SBOMs. This is pioneering work since most countries are in the early phases of determining how to use SBOMs once received. This talk will discuss the requirements that NIAP has decided for SBOMs as well as the reasons, what NIAP has learned so far from requiring SBOMs from vendors, NIAP’s usage of SBOMs, and the path forward using the crawl, walk, run model. NIAP started the pilot for the Application Software PP on March 1, 2024, and formed a CCUF SBOM WG to discuss the pilot with vendors. A policy was published on NIAP’s website (Policy 30) with some initial requirements. Although not far into the pilot, several items that need to be addressed have already been identified. The SBOMs are loaded into an SBOM vulnerability management tool. Further guidance will be issued to vendors over the summer. This talk will report what NIAP has learned so far.