Most modern software is a creation of existing components, modules, and libraries from the open source and commercial software world. A detailed accounting of components isn’t always available, which can create obstacles when protecting against security risks. This challenge is compounded by the growth in Internet of Things devices, as companies add “smart” features or connectivity without clear visibility into a product’s underlying software components.
To address this problem, NTIA is convening a multistakeholder process to develop greater transparency of software components for better security across the digital ecosystem. While the majority of libraries and components do not have known vulnerabilities, many do, and the sheer quantity of software means that some software products ship with out-of-date components that may never be updated.
Through an open, transparent, and consensus-based process, NTIA will work to identify how software component data can be shared, what practices can be easily and voluntarily adopted, and what policy and market challenges should be addressed by the broad community. This initiative builds on prior work by NTIA stakeholders on IoT cybersecurity best practices. It is also NTIA’s first step in implementing the actions put forward by government and industry stakeholders in the Report to the President on Enhancing Resilience Against Botnets.
It is important to note that many technical solutions developed by industry and standards experts are available, but they haven’t been widely adopted. Better coordination is needed among software vendors, purchasing organizations, and security solutions providers to increase awareness of solutions and new approaches. A key objective of this process is building consensus across stakeholders on the best tools for sharing information on component data between vendors and customers.
This initiative will highlight the role of enterprise customer to understand how data can be used to better secure organizations. Stakeholders can address the challenges and obstacles in sharing this data. Ultimately, this process aims to create a market offering greater transparency to organizations for risk management.
NTIA has years of experience in conducting open, multistakeholder processes to help make progress on issues such as finding common ground on cybersecurity vulnerability disclosure, developing clear policy guidance on the secure update of IoT devices, and providing more transparency about data collected by mobile apps.
For the software component transparency initiatives, NTIA welcomes participation from across the digital ecosystem, including software vendors, IoT manufacturers, medical device manufacturers, enterprise customers such as the financial services community, health care delivery organizations and higher education institutions. We also encourage input from vulnerability management solution providers, information security experts, and civil society.
The first meeting will be July 19, 10 a.m. – 4 p.m., at the American Institute of Architects, 1735 New York Ave. N.W., Washington, DC 20006. For more information, see the Federal Register notice.