ohsh6o
commented
3 years ago @its-a-lisa-at-work, this is looking more relevant by the day, and the federal government, GSA in particular, can set the tone.
Specifically, we ought to build a public SBOM clearing house for agencies to see and share.
its-a-lisa-at-work
Many of us have talked of Software Bill-of-Materials initiatives in the past, but I believe GSA specifically, but also all federal agencies generally, are in a unique position to argue for a publicly viewable clearing house of a comprehensive, cross-referenced SBOM data of all federal information systems in a clearinghouse website, for federal stakeholders and US citizens.
Many will question the soundness of this, but increasingly TTS, GSA, and beyond develop software open-source first, so third parties can easily cross-reference this information themselves. For closed-source or commercial products, some level of reverse engineering imposes difficulty, but it is not impossible for compiled artifacts with limited or no obfuscation to determine dependency trees from compilation artifacts or metadata.
The only people who do not have ready, timely access to this data, whether for the purposes of general awareness or long-term compliance with USG policy on the priority of supply chain risk management, are federal information system owners, security officials, and stakeholders. How can we turn this around? :-)