How Finite State Can Help Organizations Align with the National Cybersecurity Strategy Implementation Plan (NCSIP)

For many, it may be overstating the obvious to say that SBOMs have already become a major feature of cybersecurity practice and are fast becoming a critical component of cybersecurity regulation.
For others, this may not be so obvious.  They seem to be waiting for the bold-type headline proclaiming the SBOM as the workhorse of the cybersecurity world.
For those still seeking confirmation, the recent release of the National Cybersecurity Strategy Implementation Plan (NCSIP) – or, more to the point, the White House fact sheet on the NCSIP – provides something approximating the longed-for bold type.
The White House released the National Cybersecurity Strategy (NCS) back on March 2, 2023 – the first such strategy released since 2011.  The purpose of the NCS is to outline a comprehensive approach to cybersecurity that includes both government and private-sector initiatives.  The NCSIP was released on July 13, 2023, and acts as a roadmap to achieve the NCS goals. 
One of the key initiatives in the NCSIP calls for the White House to “advance the software bill of materials (SBOM),” and the White House fact sheet (presenting the most salient elements of the NCSIP) declared the following:

Increasing software transparency allows market actors to better understand their supply chain risk and to hold their vendors accountable for secure development practices. CISA continues to lead work with key stakeholders to identify and reduce gaps in software bill of materials (SBOM) scale and implementation. CISA will also … convene an international staff-level working group on SBOM.

The FDA has already established that, beginning on October 1, 2023, it will use its authority under Section 524b to reject any applications for approval of medical devices that do not include an SBOM as part of the submission.

The signals couldn’t be more clear.  While legitimate questions remain as to how effective the SBOM can be as a cornerstone of cybersecurity and how exactly the SBOM can/should be implemented as a requirement (whether under contract or government regulation), there is no question that SBOMs are coming (or have already arrived). 
Those who hold on to doubt bring to mind the quote: “The only thing harder than preparing is explaining why you didn’t.”

How can Finite State help with its end-to-end SBOM solutions?

Finite State's comprehensive SBOM solutions can help organizations comply with increasing regulatory demands for software transparency in a variety of ways:

Supply Chain Transparency: By providing an end-to-end solution for generating, collecting, visualizing, and distributing software bill of materials (SBOMs), Finite State can help organizations understand and manage their software supply chain risks better. This feature aligns directly with increasing regulatory emphasis on enhancing software transparency.

Unified Risk Management: The ability to ingest data from over 120 scanners and feeds enables Finite State to unify all the tools and intelligence required to secure products or systems. This offers a holistic view of the application security (AppSec) or Product Security environment, helping organizations to address potential vulnerabilities proactively and confidently.

Remediation Guidance: Finite State’s solution provides advanced guidance by aggregating and reconciling results across all scans. This can assist organizations in addressing potential vulnerabilities efficiently and adhering to secure development practices.

Binary Software Composition Analysis (SCA): This enhanced SBOM capability allows Finite State to decompose a product or asset into its components. This laser-focused risk assessment can help organizations understand and mitigate their risk exposure. 

Risk Scoring: Finite State uses an intuitive scoring system to convey the risk levels of a product or asset effectively. This system, backed by a sophisticated risk prioritization mechanism, can assist organizations in identifying high-risk areas.

VEX Support: The complete Vulnerability Exchange (VEX) support, including import and export of all VEX formats and advanced vulnerability intelligence correlation, can streamline the process of identifying and mitigating vulnerabilities.

With these features, Finite State can assist organizations in not just understanding their supply chain risks better, but also in holding their vendors accountable for secure development practices, which is a key aim of the proposed regulation.

The Finite State Next Generation Platform can also support organizations in working with agencies like CISA and contribute to initiatives for identifying and reducing gaps in SBOM scale and implementation.