Federal Adoption of Software Code Inventory in the Works, State Department Official Says

Zetra Batiste, the enterprise chief information security officer for cybersecurity supply chain risk management at the Department of State, spoke with Federal News Network about government efforts to kickstart the use of software bills of materials, which are records of program components and their sources and dependencies. The State Department is in the process of assembling a working group aimed at establishing guidelines for generating and storing the ingredient lists, Federal News Network reported Friday.

According to Batiste, work needs to be done to automate SBOM creation and make it machine-readable. She added that her team is developing such capabilities while looking into third-party solutions to validate assurances by software vendors as to the contents of their products.

To aid in decision-making regarding software adoption, the State Department’s C-SCRM team devised a risk assessment process that involves investigating potential infrastructure threats within its code as well as its vendor’s foreign connections. The agency is also collaborating with the Cybersecurity and Infrastructure Security Agency and various working groups.

CISA is one government organization working to implement near-term solutions before SBOMs become viable. Alongside the Office of Management and Budget, the agency is creating a self-attestation form for vendors to declare that their software product complies with existing safety requirements.

The cybersecurity executive order signed by President Biden in 2021 highlighted SBOMs as important tools in ensuring national security.