Most modern software is a creation of existing components, modules, and libraries from the open source and commercial software world. A detailed accounting of components isn’t always available, which can create obstacles when protecting against security risks. This challenge is compounded by the growth in Internet of Things devices, as companies add “smart” features or connectivity without clear visibility into a product’s underlying software components.
To address this problem, NTIA is convening a multistakeholder process to develop greater transparency of software components for better security across the digital ecosystem. While the majority of libraries and components do not have known vulnerabilities, many do, and the sheer quantity of software means that some software products ship with out-of-date components that may never be updated.
Through an open, transparent, and consensus-based process, NTIA will work to identify how software component data can be shared, what practices can be easily and voluntarily adopted, and what policy and market challenges should be addressed by the broad community. This initiative builds on prior work by NTIA stakeholders on IoT cybersecurity best practices. It is also NTIA’s first step in implementing the actions put forward by government and industry stakeholders in the Report to the President on Enhancing Resilience Against Botnets.