The plan is part of a wider effort to boost software security using vulnerability management and SBOMs.
The Cybersecurity and Infrastructure Security Agency requested comments on creating a more harmonized software identification system as part of a larger effort to make the software supply chain more secure.
Since President Joe Biden issued an executive order on improving cybersecurity in 2021, CISA and other federal agencies have been working to prioritize software security by improving vulnerability management and software bill of materials (SBOMs).
The request for comment is designed to establish uniform parameters to track critical information required to improve software security. Information on known vulnerabilities, what mitigations or security patches are available, and which software is approved for use are all part of the effort, according to a white paper released by CISA.
“A more robust software identifier ecosystem must be established for a harmonized software identification ecosystem that facilitates greater automation, inventory visibility, and the multifaceted value proposition of SBOM’s broad adoption,” Sandy Radesky, associate director for vulnerability management at CISA, said in a statement.
CISA is seeking comments on several key issues, including the following:
- Requirements for an effective software identification ecosystem.
- The merits and challenges of available identifier formats.
- The viability of a system is based on inherent or defined identifiers.
- The need for a central authority or other body for a software identifier ecosystem.
The agency is working with experts from the Homeland Security Systems Engineering and Development Institute to identify important elements of such a system.
All comments must be received by Dec. 11.
Federal authorities also want to create a global authority that will establish common rules and assign responsibilities related to software identification.
“Without a shared understanding around how to identify each piece of software, it is impossible to have SBOMs or vulnerability details that can be exchanged in an automated way,” Brian Fox, co-founder and CTO of Sonatype, said via email. “Can you imagine the chaos of food labels if each vendor had their name for sugar?”
