None of the nearly 80 organizations that the Cyber Safety Review Board canvassed for its first report, including many federal agencies, used software inventories to find vulnerable Log4j deployments.
CSRB found not every organization even had software bills of materials (SBOMs), machine-readable inventories of components and how they relate because data formats haven’t been standardized.
The Department of Homeland Security tapped CSRB to review the U.S. response to the Log4j vulnerability, one of the most serious to date, publicly disclosed on Dec. 10. In its report released Thursday, CSRB recommended SBOM tooling and adoptability be improved to support faster software supply chain vulnerability response.
“Generally our observation is that the entities who are using open source software really should be looking to help support that community directly in getting them access to training programs, developing the tools that will make things like SBOMs adoptable and being able to measure the efficacy of the security of objects,” said Heather Adkins, CSRB deputy chair, on a press call. “And we think that’s a whole-of-community approach that’s going to be needed.”
In the meantime developers should generate and ship SBOMs with their software with plans for tooling and process upgrades upon availability, according to the report. The recommendation aligns with the Cybersecurity and Infrastructure Security Agency issuing a solicitation in May for open-source software libraries and other tools foundational to SBOMs, which many federal contractors hope become the standard for proving government-mandated compliance with the Secure Software Development Framework.
CSRB recommended agencies prepare to “champion and adopt” SBOMs as the technology matures and the Office of Management and Budget, Office of the National Cyber Director, and CISA consider issuing guidance on using software inventories and metadata to improve vulnerability detection and response.
The report further recommends government require software transparency from vendors, spearheaded by OMB and the Federal Acquisition Regulatory Council discouraging the use of products without provenance or dependence information. OMB and the FAR Council should make procurement requirements, guidance, and automation and tooling investments that set expectations for baseline SBOM information and an implementation timeframe, according to CSRB.
Board officials maintained the Log4j event is not over with vulnerable versions of the free, Java-based logging framework likely to remain in compromised systems for a decade — offering even unsophisticated attackers access. Many companies can’t quickly identify where their vulnerable code is, said Robert Silvers, CSRB chair.
“The rate at which cyber incidents occur is rapidly increasing,” said Homeland Security Secretary Alejandro Mayorkas. “And we’re at a pivotal moment for the department and our public and private sector partners to achieve a more secure cyber ecosystem.”