Energy official urges CISA to develop storehouse for software bills of materials

A Department of Energy official is hoping the Cybersecurity and Infrastructure Security Agency will establish and maintain a central repository for software bills of materials covering some of the most widely used software products in the federal government.

Amy Hamilton, a senior cybersecurity advisor for DOE, said the repository will ease the burden on agencies working to develop SBOMs as the White House and Congress continue to release guidance and directives for the itemized lists of components featured in software applications. 

While SBOMs can support a comprehensive cybersecurity framework, indicate where vulnerabilities may exist in software and provide increased transparency, their development can be difficult for agencies, Hamilton said on Wednesday at FCW's CDM Summit covering the Continuous Diagnostics and Mitigation program.

"All we want from an agency perspective is one place" for SBOMs, Hamilton said, adding: "We're hoping it's CISA."

"Most of the agencies are going to be using the same things from the big suppliers," she said. "If we could just go to a central repository and get those instead of our agency, because that's going to be extraordinarily intensive."

The White House released a memorandum in September requiring agencies to obtain self-attestations from third-party software producers confirming their code conform to security guidance from the National Institute of Standards and Technology. NIST has also recommended agencies require SBOMs in all software acquisitions, and the House-passed 2023 defense policy bill included language requiring software vendors for the federal government to include bills of material for their code and sign attestations confirming their products are free of defects. 

But some industry groups have pushed back on recent guidance, saying some agencies currently lack the capabilities to properly implement and utilize the itemized lists.

CISA portfolio management section chief Paul Loeffler, who also spoke at FCW's CDM summit on Wednesday, said that a central repository for SBOMs hosted by the nation's cyber defense agency could eventually become a reality, though no official plans have been made. 

"It's not out of the realm of possibility," Loeffler said, adding: "CISA is really trying to find ways that we can answer some of these questions for agencies."